Posted by hsbt on 28 Mar 2023
We have released the uri gem version 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755.
A ReDoS issue was discovered in the URI component. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
uri gem version 0.12.0, 0.11.0, 0.10.1, 0.10.0 and all versions prior 0.10.0 are vulnerable for this vulnerability.
We recommend to update the
uri gem to 0.12.1. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:
- For Ruby 2.7: Update to
- For Ruby 3.0: Update to
- For Ruby 3.1: Update to
- For Ruby 3.2: Update to
You can use
gem update uri to update it. If you are using bundler, please add
gem "uri", ">= 0.12.1" (or other version mentioned above) to your
- uri gem 0.12.0
- uri gem 0.11.0
- uri gem 0.10.1
- uri gem 0.10.0 or before
Thanks to Dominic Couture for discovering this issue.
- Originally published at 2023-03-28 01:00:00 (UTC)
- Update Affected versions at 2023-03-28 02:00:00 (UTC)
- Update CVE identifier url at 2023-03-28 04:00:00 (UTC)