CVE-2023-28755Regex Denial of Service in URI

CWE-1333Regex Denial of ServiceCWE-185Incorrect Regular ExpressionCWE-20Improper Input Validation26 documents9 sources
Severity
5.3MEDIUMNVD
EPSS
0.3%
top 43.46%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
12
RubygemsJrubyRuby-lang URI+9 more
Timeline
PublishedMar 31
Latest updateSep 3

Description

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages12 packages

debiandebian/jruby< jruby 9.4.5.0+ds-1 (forky)+1
NVDruby-lang/uri0.11.00.12.2+5
RubyGemsruby-lang/uri0.10.10.10.3+7
debiandebian/ruby2.7< jruby 9.4.5.0+ds-1 (forky)+1
debiandebian/ruby3.1< jruby 9.4.5.0+ds-1 (forky)+1

Also affects: Debian Linux 10.0, Fedora 36, 37, 38

🔴Vulnerability Details

11
OSV
rubygems vulnerabilities2025-09-03
OSV
ruby2.3, ruby2.5, ruby2.7, ruby3.0, ruby3.1 vulnerabilities2023-07-12
OSV
URI gem has ReDoS vulnerability2023-06-29
OSV
CVE-2023-36617: A ReDoS issue was discovered in the URI component before 02023-06-29
GHSA
URI gem has ReDoS vulnerability2023-06-29

📋Vendor Advisories

12
Ubuntu
RubyGems vulnerabilities2025-09-03
CISA ICS
Siemens SCALANCE XCM-/XRM-3002024-02-15
Ubuntu
Ruby vulnerabilities2023-07-12
Red Hat
rubygem-uri: ReDoS vulnerability - upstream's incomplete fix for CVE-2023-287552023-06-29
Ubuntu
Ruby vulnerabilities2023-06-21

💬Community

1
HackerOne
CVE-2023-28755: ReDoS vulnerability in URI2023-04-26