Posted by mame on 15 Nov 2021
We have released date gem version 3.2.1, 3.1.2, 3.0.2, and 2.0.1 that include a security fix for a regular expression denial of service vulnerability (ReDoS) on date parsing methods. An attacker can exploit this vulnerability to cause an effective DoS attack. This vulnerability has been assigned the CVE identifier CVE-2021-41817.
Date’s parsing methods including
Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.
The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing
limit keywords as
Date.parse(str, limit: nil), but note that it may take a long time to parse.
Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use
gem update date to update it. If you are using bundler, please add
gem "date", ">= 3.2.1" to your
Alternatively, you can update Ruby to 3.0.3, 2.7.5, 2.6.9 or later.
- date gem 2.0.0 or prior (which are bundled versions with Ruby 2.6 series prior to Ruby 2.6.9)
- date gem 3.0.1 or prior (which are bundled versions with Ruby 2.7 series prior to Ruby 2.7.5)
- date gem 3.1.1 or prior (which are bundled versions with Ruby 3.0 series prior to Ruby 3.0.3)
- date gem 3.2.0 or prior
Thanks to svalkanov for discovering this issue.
- Originally published at 2021-11-15 08:00:00 (UTC)
- Mention about new Ruby releases at 2021-11-24 13:20:00 (UTC)