CVE-2023-28755: Ruby-lang Uri DoS Vulnerability

CVE-2023-28755 Overview

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the URI component through version 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that contain specific characters, causing an exponential increase in execution time when parsing malformed strings to URI objects. This vulnerability allows remote attackers to cause denial of service conditions by supplying specially crafted URI strings that trigger catastrophic backtracking in the regex engine.

Critical Impact

Applications that parse user-supplied URLs without timeout protections are vulnerable to denial of service attacks that can consume significant CPU resources and degrade application performance.

Affected Products

• Ruby-lang URI versions up to and including 0.12.0
• Debian Linux 10.0
• Fedora 36, 37, and 38

Discovery Timeline

• 2023-03-28 - Ruby security team releases advisory for CVE-2023-28755
• 2023-03-31 - CVE-2023-28755 published to NVD
• 2025-11-04 - Last updated in NVD database

Technical Details for CVE-2023-28755

Vulnerability Analysis

The vulnerability exists within the URI parsing component of Ruby, specifically in how regular expressions are used to validate and parse URI strings. When the parser encounters malformed URLs containing specific character sequences, the regex engine enters a state of catastrophic backtracking. This occurs because the regular expression patterns used for URI parsing contain nested quantifiers or overlapping alternatives that cause exponential time complexity when processing certain input patterns.

The attack is network-exploitable and requires no authentication or user interaction. While the impact is limited to availability (denial of service), it can be particularly damaging in web applications that process user-supplied URLs, API endpoints that accept URI parameters, or any Ruby application that parses untrusted URI data.

Root Cause

The root cause is inefficient regular expression patterns within the URI component that exhibit polynomial or exponential time complexity when processing malformed input. Specifically, the regex patterns used for URI validation contain constructs that lead to excessive backtracking when the input does not match the expected format but contains characters that partially match multiple parts of the pattern.

ReDoS vulnerabilities typically occur when regular expressions contain:

• Nested quantifiers (e.g., (a+)+)
• Overlapping alternation patterns
• Repetition of groups that can match the same character sequences

The URI component's parsing logic triggers this behavior when processing invalid URLs with specific character combinations, causing the parsing operation to consume disproportionate CPU time.

Attack Vector

The attack can be executed remotely over the network by supplying a maliciously crafted URI string to any Ruby application that parses user-controlled URL input. The attacker does not require any privileges or authentication to exploit this vulnerability. Common attack scenarios include:

• Submitting malformed URLs through web form inputs
• Sending crafted URI parameters in API requests
• Including malicious URIs in data feeds or imports
• Exploiting any endpoint that performs URL validation or parsing

The vulnerability exploitation involves crafting URI strings with specific character patterns that maximize backtracking in the regex engine, causing parsing operations that normally complete in milliseconds to take seconds or minutes.

Detection Methods for CVE-2023-28755

Indicators of Compromise

• Unusual CPU spikes in Ruby application processes during URI parsing operations
• Increased response times or timeouts in endpoints that process URL parameters
• Application thread pool exhaustion with threads stuck in URI parsing methods
• Log entries showing timeouts or slow operations related to URL handling

Detection Strategies

• Monitor Ruby process CPU utilization for sustained high usage during URI parsing operations
• Implement request timeout monitoring to detect abnormally long-running URL processing
• Review application logs for timeout exceptions in URI-related code paths
• Use application performance monitoring (APM) to identify slow transactions involving URI parsing

Monitoring Recommendations

• Set up alerts for Ruby processes exceeding normal CPU thresholds
• Implement request-level timeouts with logging for URI parsing operations
• Monitor thread pool metrics for signs of exhaustion or blocking
• Track response time percentiles for endpoints that handle URL input

How to Mitigate CVE-2023-28755

Immediate Actions Required

• Update the URI gem to fixed versions: 0.12.1, 0.11.1, 0.10.2, or 0.10.0.1
• Apply Ruby version updates that include the patched URI component
• Implement input validation and length limits on user-supplied URLs before parsing
• Add timeout wrappers around URI parsing operations as a defense-in-depth measure

Patch Information

Ruby-lang has released patched versions of the URI component that address this ReDoS vulnerability. The fixed versions are 0.12.1, 0.11.1, 0.10.2, and 0.10.0.1. Organizations should update to the appropriate fixed version based on their current URI gem version.

For detailed patch information, refer to the Ruby CVE-2023-28755 Advisory and the GitHub URI Release Notes.

Linux distributions have also released updates:

• Debian LTS Announcement
• Gentoo GLSA 202401-27

Workarounds

• Implement strict URL length limits before passing input to URI parsing methods
• Add timeout wrappers around URI.parse() calls to prevent extended CPU consumption
• Validate URL format using simpler, non-backtracking patterns before full parsing
• Consider using alternative URL parsing libraries that are not affected by this vulnerability

# Update URI gem to patched version
gem update uri

# Or specify the fixed version in Gemfile
# gem 'uri', '~> 0.12.1'

# Verify installed version
gem list uri