{"id":"CVE-2023-28755","details":"A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.","aliases":["GHSA-hv5j-3h9f-99c2"],"modified":"2026-04-10T04:57:15.948179Z","published":"2023-03-31T04:15:09.037Z","related":["ALSA-2023:3821","ALSA-2023:7025","ALSA-2024:1431","ALSA-2024:1576","ALSA-2024:3500","ALSA-2024:3838","ALSA-2024:4499","CGA-p527-8q57-2j5m","SUSE-SU-2023:4176-1","openSUSE-SU-2024:12828-1","openSUSE-SU-2024:12849-1","openSUSE-SU-2024:13623-1","openSUSE-SU-2025:14621-1","openSUSE-SU-2025:15819-1"],"references":[{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/"},{"type":"WEB","url":"https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/"},{"type":"WEB","url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/"},{"type":"ADVISORY","url":"https://security.gentoo.org/glsa/202401-27"},{"type":"ADVISORY","url":"https://www.ruby-lang.org/en/downloads/releases/"},{"type":"ADVISORY","url":"https://github.com/ruby/uri/releases/"},{"type":"ADVISORY","url":"https://lists.debian.org/debian-lts-announce/2023/04/msg00033.html"},{"type":"ADVISORY","url":"https://security.netapp.com/advisory/ntap-20230526-0003/"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/ruby/uri","events":[{"introduced":"0"},{"last_affected":"c86081f25ed7dfc132a0f2db1ece10999af7bbe2"},{"introduced":"0"},{"last_affected":"94e9ac5d5588718556bd1be1665d7ad60633b275"},{"introduced":"0"},{"last_affected":"1619f713e60ddffd238276e5f03f4f916074476b"},{"introduced":"0"},{"last_affected":"72f22716f86fe6bccf52c167cbb30e1a6e70aaca"}],"database_specific":{"versions":[{"introduced":"0"},{"last_affected":"0.10.0"},{"introduced":"0"},{"last_affected":"0.10.1"},{"introduced":"0"},{"last_affected":"0.11.0"},{"introduced":"0"},{"last_affected":"0.12.0"}]}}],"versions":["v0.10.0","v0.10.1","v0.11.0","v0.12.0"],"database_specific":{"unresolved_ranges":[{"events":[{"introduced":"0"},{"last_affected":"10.0"}]},{"events":[{"introduced":"0"},{"last_affected":"36"}]},{"events":[{"introduced":"0"},{"last_affected":"37"}]},{"events":[{"introduced":"0"},{"last_affected":"38"}]}],"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2023-28755.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}]}