We have released the uri gem version 0.10.0.1, 0.10.2, 0.11.1 and 0.12.1 that has a security fix for a ReDoS vulnerability. This vulnerability has been assigned the CVE identifier CVE-2023-28755.
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects.
Please update the uri gem to version 0.12.1 or later. We also release for old uri gem with Ruby releases. Please use them if you need to only security fix.
You can use gem update uri
to update it. If you are using bundler, please add gem "uri", ">= 0.12.1"
to your Gemfile
.
Thanks to Dominic Couture for discovering this issue.
Posted by hsbt on 28 Mar 2023
https://www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/