CVE-2023-36617: Ruby-lang URI DoS Vulnerability

CVE-2023-36617 Overview

A Regular Expression Denial of Service (ReDoS) vulnerability was discovered in the URI component for Ruby, affecting versions prior to 0.12.2. The URI parser mishandles invalid URLs containing specific characters, leading to a significant increase in execution time when parsing malformed strings to URI objects. This vulnerability exists in both rfc2396_parser.rb and rfc3986_parser.rb files and represents an incomplete fix for the previously disclosed CVE-2023-28755.

Critical Impact

Attackers can craft malicious URLs that cause excessive CPU consumption during URI parsing, potentially leading to denial of service conditions in Ruby applications that process untrusted URL input.

Affected Products

• Ruby-lang URI component versions before 0.12.2
• Ruby-lang URI component versions before 0.10.3 (also patched)
• Applications using vulnerable versions of the URI gem for Ruby

Discovery Timeline

• June 29, 2023 - CVE-2023-36617 published to NVD
• November 4, 2025 - Last updated in NVD database

Technical Details for CVE-2023-36617

Vulnerability Analysis

This ReDoS vulnerability stems from inefficient regular expression patterns within Ruby's URI parsing components. When the URI parser processes specially crafted invalid URLs containing specific character sequences, the regular expression engine enters a pathological backtracking state. This causes the parsing operation to consume exponentially more CPU cycles as the input string length increases.

The vulnerability affects both RFC 2396 and RFC 3986 parser implementations (rfc2396_parser.rb and rfc3986_parser.rb), indicating that the regex patterns used for URL validation and parsing contain nested quantifiers or overlapping alternations that are susceptible to catastrophic backtracking.

This issue is particularly noteworthy as it represents an incomplete remediation of CVE-2023-28755, suggesting that the initial fix did not fully address all vulnerable code paths in the URI parsing logic.

Root Cause

The root cause lies in the regular expression patterns used within the URI component's parser implementations. The regex patterns contain constructs that allow for exponential time complexity when matching against certain malformed input strings. Specifically, the combination of nested quantifiers and overlapping character classes creates conditions where the regex engine must explore an exponentially growing number of possible matches before determining that no valid match exists.

Attack Vector

The attack vector is network-based and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending malformed URLs to any Ruby application that parses untrusted URI input. The attack is executed as follows:

1. The attacker identifies a Ruby application that processes user-supplied URLs using the vulnerable URI component
2. The attacker crafts a malicious URL string containing specific character patterns that trigger pathological regex backtracking
3. When the application attempts to parse this URL, the regex engine enters an exponential backtracking state
4. CPU resources are consumed excessively, potentially causing the application to become unresponsive or crash

The vulnerability can be triggered remotely without any special privileges, making it accessible to any network-connected attacker who can supply URL input to the target application.

Detection Methods for CVE-2023-36617

Indicators of Compromise

• Abnormal CPU spikes occurring during URL parsing operations in Ruby applications
• Application response time degradation when processing URL inputs
• Ruby process hangs or timeouts during URI parsing routines
• Unusual memory consumption patterns in applications using the URI gem

Detection Strategies

• Monitor Ruby application logs for slow URL parsing operations or timeout errors
• Implement runtime monitoring to detect regex execution times exceeding normal thresholds
• Conduct dependency audits to identify applications using vulnerable URI gem versions (below 0.12.2 or below 0.10.3 in the 0.10.x branch)
• Deploy application performance monitoring (APM) to track URI parsing latency anomalies

Monitoring Recommendations

• Configure alerting for sustained high CPU utilization in Ruby application processes
• Implement request timeout mechanisms for URL parsing operations
• Set up automated vulnerability scanning for Ruby gem dependencies
• Monitor network traffic for patterns of repeated malformed URL submissions

How to Mitigate CVE-2023-36617

Immediate Actions Required

• Update the Ruby URI gem to version 0.12.2 or later immediately
• For applications on the 0.10.x branch, update to version 0.10.3 or later
• Implement input validation to filter obviously malformed URLs before URI parsing
• Apply request timeouts on operations involving URL parsing from untrusted sources

Patch Information

Ruby-lang has released security patches addressing this vulnerability. Fixed versions include URI gem 0.12.2 and 0.10.3. The official security advisory is available from Ruby-lang Security News. Additional distribution-specific patches have been released by Fedora, Debian, and NetApp as documented in their respective security advisories.

Workarounds

• Implement strict input length limits on URL strings before passing to the URI parser
• Use a preliminary regex validation to reject obviously malformed URLs before full parsing
• Deploy web application firewalls (WAF) with rules to detect and block malicious URL patterns
• Consider using alternative URL parsing libraries with known-safe regex implementations as a temporary measure

# Update URI gem to patched version
gem update uri --version '>= 0.12.2'

# Verify installed version
gem list uri

# For Bundler-managed applications, update Gemfile
# gem 'uri', '>= 0.12.2'
bundle update uri