DescriptionA ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with rfc2396_parser.rb and rfc3986_parser.rb. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
jruby (PTS)buster9.1.17.0-3vulnerable
buster (security)
ruby2.5 (PTS)buster2.5.5-3+deb10u4vulnerable
buster (security)2.5.5-3+deb10u6vulnerable
ruby2.7 (PTS)bullseye (security), bullseye2.7.4-1+deb11u1fixed
ruby3.1 (PTS)trixie, sid, bookworm3.1.2-7fixed
rubygems (PTS)bullseye3.2.5-2fixed
trixie, sid, bookworm3.3.15-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
jrubysourcebullseye(not affected)
jrubysourcebookworm(not affected)
ruby2.7source(unstable)(not affected)
ruby3.1source(unstable)(not affected)
rubygemssource(unstable)(not affected)


- rubygems <not-affected> (Incomplete fix never applied)
- ruby3.1 <not-affected> (Incomplete fix never applied)
- ruby2.7 <not-affected> (Incomplete fix never applied)
[buster] - ruby2.5 <postponed> (Minor issue, ReDoS)
[bookworm] - jruby <not-affected> (Incomplete fix never applied)
[bullseye] - jruby <not-affected> (Incomplete fix never applied)
[buster] - jruby <postponed> (Minor issue, ReDoS)

Search for package or bug name: Reporting problems