Introduction:
A recently discovered Regular Expression Denial of Service (ReDoS) issue in the URI component for Ruby has raised concerns among developers and users of the popular programming language. The vulnerability, identified in versions up to 0.12.1, stems from the mishandling of specific characters in invalid URLs. This flaw results in a significant increase in execution time when parsing strings into URI objects, particularly within the rfc2396_parser.rb and rfc3986_parser.rb modules.
Background:
The vulnerability is attributed to an incomplete fix for CVE-2023-28755, emphasizing the importance of thorough security measures during software development and maintenance. The uri gem, prevalent in various Ruby applications, is vulnerable to this ReDoS issue in versions up to 0.12.1.
Recommended Action:
To mitigate the risks associated with this vulnerability, it is strongly advised to update the uri gem to version 0.12.2. However, for users needing compatibility with older Ruby series, specific update instructions have been provided:
- For Ruby 3.0: Update to uri 0.10.3
- For Ruby 3.1: Update to uri 0.12.2
- For Ruby 3.2: Update to uri 0.12.2 or upgrade to Ruby 3.2.3
The update can be performed using the command `gem update uri`. For users employing bundler, it is recommended to add the following line to the Gemfile: `gem "uri", ">= 0.12.2"` or the version corresponding to their Ruby series.
Affected Versions:
The vulnerability is present in uri gem versions 0.12.1 and earlier. Users are strongly encouraged to check their current gem versions and take immediate action to address this security concern.
Acknowledgments:
The identification and reporting of this vulnerability were credited to ooooooo_q. Acknowledgments were also extended to nobu for resolving the issue promptly.
Timeline:
- Original discovery and publication: 2023-06-29 01:00:00 (UTC)
- Addition of a new recommended action for Ruby 3.2: 2024-01-18 12:00:00 (UTC)
Conclusion:
Given the critical nature of the ReDoS vulnerability in the Ruby URI gem, users and developers are urged to prioritize the recommended updates promptly. Staying vigilant against such security threats is crucial to maintaining the integrity and reliability of Ruby applications. The collaborative efforts of the security community, in both discovery and resolution, highlight the importance of ongoing diligence in the field of software security.
A recently discovered Regular Expression Denial of Service (ReDoS) issue in the URI component for Ruby has raised concerns among developers and users of the popular programming language. The vulnerability, identified in versions up to 0.12.1, stems from the mishandling of specific characters in invalid URLs. This flaw results in a significant increase in execution time when parsing strings into URI objects, particularly within the rfc2396_parser.rb and rfc3986_parser.rb modules.
Background:
The vulnerability is attributed to an incomplete fix for CVE-2023-28755, emphasizing the importance of thorough security measures during software development and maintenance. The uri gem, prevalent in various Ruby applications, is vulnerable to this ReDoS issue in versions up to 0.12.1.
Recommended Action:
To mitigate the risks associated with this vulnerability, it is strongly advised to update the uri gem to version 0.12.2. However, for users needing compatibility with older Ruby series, specific update instructions have been provided:
- For Ruby 3.0: Update to uri 0.10.3
- For Ruby 3.1: Update to uri 0.12.2
- For Ruby 3.2: Update to uri 0.12.2 or upgrade to Ruby 3.2.3
The update can be performed using the command `gem update uri`. For users employing bundler, it is recommended to add the following line to the Gemfile: `gem "uri", ">= 0.12.2"` or the version corresponding to their Ruby series.
Affected Versions:
The vulnerability is present in uri gem versions 0.12.1 and earlier. Users are strongly encouraged to check their current gem versions and take immediate action to address this security concern.
Acknowledgments:
The identification and reporting of this vulnerability were credited to ooooooo_q. Acknowledgments were also extended to nobu for resolving the issue promptly.
Timeline:
- Original discovery and publication: 2023-06-29 01:00:00 (UTC)
- Addition of a new recommended action for Ruby 3.2: 2024-01-18 12:00:00 (UTC)
Conclusion:
Given the critical nature of the ReDoS vulnerability in the Ruby URI gem, users and developers are urged to prioritize the recommended updates promptly. Staying vigilant against such security threats is crucial to maintaining the integrity and reliability of Ruby applications. The collaborative efforts of the security community, in both discovery and resolution, highlight the importance of ongoing diligence in the field of software security.
Published :