High severityNVD Advisory· Published Mar 31, 2023· Updated Nov 4, 2025

CVE-2023-28755

Description

A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A ReDoS vulnerability in Ruby's URI parser allows attackers to cause excessive CPU consumption by sending crafted invalid URLs, patched in versions 0.10.0.1, 0.10.2, 0.11.1, and 0.12.1.

Vulnerability

Overview

CVE-2023-28755 is a Regular Expression Denial of Service (ReDoS) vulnerability in the URI component of Ruby, affecting versions through 0.12.0 and Ruby through 3.2.1. The URI parser mishandles invalid URLs containing specific characters, causing a catastrophic exponential increase in execution time when parsing strings into URI objects [2]. This is a classic ReDoS issue where the regex engine spends excessive time backtracking on specially crafted input.

Exploitation

An attacker can exploit this vulnerability by providing a malformed URL string to an application that uses Ruby's URI library for parsing. No authentication is required, and the attack can be delivered remotely if the application processes user-supplied URLs (e.g., via HTTP parameters, API inputs, or file uploads). The crafted input triggers the pathological regex behavior, leading to high CPU usage and potential denial of service [1].

Impact

Successful exploitation causes a denial of service by exhausting server CPU resources, making the application unresponsive or severely degraded. The impact is limited to availability; there is no risk of data breach or code execution. The vulnerability is particularly concerning for web applications that perform URI validation or parsing of external URLs.

Mitigation

Ruby has released fixed versions of the URI gem: 0.10.0.1, 0.10.2, 0.11.1, and 0.12.1 [2]. Users should upgrade their URI gem to one of these versions. The Ruby language project recommends updating to the latest patch releases of the stable branches (e.g., Ruby 3.2.2 or later) [3]. As the issue is in the URI library, applications using Ruby gems that depend on the URI gem are also affected and should be updated [4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
uriRubyGems	>= 0.12.0, < 0.12.1	0.12.1
uriRubyGems	>= 0.11.0, < 0.11.1	0.11.1
uriRubyGems	>= 0.10.1, < 0.10.2	0.10.2
uriRubyGems	< 0.10.0.1	0.10.0.1

Affected products

Ruby/Rubydescription
osv-coords88 versions
pkg:apk/chainguard/ruby-3.0 pkg:apk/chainguard/ruby-3.0-dev pkg:apk/chainguard/ruby-3.0-doc pkg:apk/chainguard/ruby-3.1 pkg:apk/chainguard/ruby-3.1-base pkg:apk/chainguard/ruby-3.1-base-dev pkg:apk/chainguard/ruby-3.1-dev pkg:apk/chainguard/ruby-3.1-doc pkg:apk/chainguard/ruby-3.2 pkg:apk/chainguard/ruby-3.2-base pkg:apk/chainguard/ruby-3.2-base-dev pkg:apk/chainguard/ruby-3.2-dev pkg:apk/chainguard/ruby-3.2-doc pkg:apk/wolfi/ruby-3.0 pkg:apk/wolfi/ruby-3.0-dev pkg:apk/wolfi/ruby-3.0-doc pkg:apk/wolfi/ruby-3.1 pkg:apk/wolfi/ruby-3.1-base pkg:apk/wolfi/ruby-3.1-base-dev pkg:apk/wolfi/ruby-3.1-dev pkg:apk/wolfi/ruby-3.1-doc pkg:apk/wolfi/ruby-3.2 pkg:apk/wolfi/ruby-3.2-base pkg:apk/wolfi/ruby-3.2-base-dev pkg:apk/wolfi/ruby-3.2-dev pkg:apk/wolfi/ruby-3.2-doc pkg:gem/uri pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-bundled-gems pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bson pkg:rpm/almalinux/rubygem-bson-doc pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-bundler-doc pkg:rpm/almalinux/rubygem-did_you_mean pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mongo pkg:rpm/almalinux/rubygem-mongo-doc pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-net-telnet pkg:rpm/almalinux/rubygem-openssl pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rbs pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygem-rexml pkg:rpm/almalinux/rubygem-rss pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-typeprof pkg:rpm/almalinux/rubygem-xmlrpc pkg:rpm/almalinux/ruby-irb pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.5 pkg:rpm/opensuse/ruby3.1&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.2&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.3&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby3.4&distro=openSUSE%20Tumbleweed pkg:rpm/opensuse/ruby4.0&distro=openSUSE%20Tumbleweed pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.2
< 3.0.6-r0+ 87 more
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: >= 0.12.0, < 0.12.1
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.0.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.2.0-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 0.5.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 5.13.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.2.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.1.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 13.0.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 6.2.1.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.2.5-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.2.9-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.3.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.21.3-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 3.1.4-1.1
- (no CPE)range: < 3.2.2-1.1
- (no CPE)range: < 3.3.0-1.2
- (no CPE)range: < 3.4.1-1.1
- (no CPE)range: < 4.0.0~preview2-1.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000