CVE-2023-28756: ReDoS vulnerability in Time
Posted by hsbt on 30 Mar 2023
We have released the time gem version 0.1.1 and 0.2.2 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28756.
Details
The Time parser mishandles invalid strings that have specific characters. It causes an increase in execution time for parsing strings to Time objects.
A ReDoS issue was discovered in the Time gem 0.1.0 and 0.2.1 and Time library of Ruby 2.7.7.
Recommended action
We recommend to update the time gem to version 0.2.2 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
- For Ruby 3.0 users: Update to
time0.1.1 - For Ruby 3.1/3.2 users: Update to
time0.2.2
You can use gem update time to update it. If you are using bundler, please add gem "time", ">= 0.2.2" to your Gemfile.
Unfortunately, time gem only works with Ruby 3.0 or later. If you are using Ruby 2.7, please use the latest version of Ruby.
Affected versions
- Ruby 2.7.7 or lower
- time gem 0.1.0
- time gem 0.2.1
Credits
Thanks to ooooooo_q for discovering this issue.
History
- Originally published at 2023-03-30 11:00:00 (UTC)
Recent News
Ruby 3.2.11 Released
Ruby 3.2.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820.
Posted by hsbt on 27 Mar 2026
Ruby 3.3.11 Released
Ruby 3.3.11 has been released. This release includes an update to the zlib gem addressing CVE-2026-27820, along with some bug fixes.
Posted by hsbt on 26 Mar 2026
Ruby 4.0.2 Released
Ruby 4.0.2 has been released.
Posted by k0kubun on 16 Mar 2026
Ruby 3.4.9 Released
Ruby 3.4.9 has been released.
Posted by nagachika on 11 Mar 2026