High severityNVD Advisory· Published Mar 31, 2023· Updated Nov 4, 2025
CVE-2023-28755
CVE-2023-28755
Description
A ReDoS issue was discovered in the URI component through 0.12.0 in Ruby through 3.2.1. The URI parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to URI objects. The fixed versions are 0.12.1, 0.11.1, 0.10.2 and 0.10.0.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
uriRubyGems | >= 0.12.0, < 0.12.1 | 0.12.1 |
uriRubyGems | >= 0.11.0, < 0.11.1 | 0.11.1 |
uriRubyGems | >= 0.10.1, < 0.10.2 | 0.10.2 |
uriRubyGems | < 0.10.0.1 | 0.10.0.1 |
Affected products
89- osv-coords88 versionspkg:apk/chainguard/ruby-3.0pkg:apk/chainguard/ruby-3.0-devpkg:apk/chainguard/ruby-3.0-docpkg:apk/chainguard/ruby-3.1pkg:apk/chainguard/ruby-3.1-basepkg:apk/chainguard/ruby-3.1-base-devpkg:apk/chainguard/ruby-3.1-devpkg:apk/chainguard/ruby-3.1-docpkg:apk/chainguard/ruby-3.2pkg:apk/chainguard/ruby-3.2-basepkg:apk/chainguard/ruby-3.2-base-devpkg:apk/chainguard/ruby-3.2-devpkg:apk/chainguard/ruby-3.2-docpkg:apk/wolfi/ruby-3.0pkg:apk/wolfi/ruby-3.0-devpkg:apk/wolfi/ruby-3.0-docpkg:apk/wolfi/ruby-3.1pkg:apk/wolfi/ruby-3.1-basepkg:apk/wolfi/ruby-3.1-base-devpkg:apk/wolfi/ruby-3.1-devpkg:apk/wolfi/ruby-3.1-docpkg:apk/wolfi/ruby-3.2pkg:apk/wolfi/ruby-3.2-basepkg:apk/wolfi/ruby-3.2-base-devpkg:apk/wolfi/ruby-3.2-devpkg:apk/wolfi/ruby-3.2-docpkg:gem/uripkg:rpm/almalinux/rubypkg:rpm/almalinux/ruby-bundled-gemspkg:rpm/almalinux/ruby-default-gemspkg:rpm/almalinux/ruby-develpkg:rpm/almalinux/ruby-docpkg:rpm/almalinux/rubygem-abrtpkg:rpm/almalinux/rubygem-abrt-docpkg:rpm/almalinux/rubygem-bigdecimalpkg:rpm/almalinux/rubygem-bsonpkg:rpm/almalinux/rubygem-bson-docpkg:rpm/almalinux/rubygem-bundlerpkg:rpm/almalinux/rubygem-bundler-docpkg:rpm/almalinux/rubygem-did_you_meanpkg:rpm/almalinux/rubygem-io-consolepkg:rpm/almalinux/rubygem-irbpkg:rpm/almalinux/rubygem-jsonpkg:rpm/almalinux/rubygem-minitestpkg:rpm/almalinux/rubygem-mongopkg:rpm/almalinux/rubygem-mongo-docpkg:rpm/almalinux/rubygem-mysql2pkg:rpm/almalinux/rubygem-mysql2-docpkg:rpm/almalinux/rubygem-net-telnetpkg:rpm/almalinux/rubygem-opensslpkg:rpm/almalinux/rubygem-pgpkg:rpm/almalinux/rubygem-pg-docpkg:rpm/almalinux/rubygem-power_assertpkg:rpm/almalinux/rubygem-psychpkg:rpm/almalinux/rubygem-rakepkg:rpm/almalinux/rubygem-rbspkg:rpm/almalinux/rubygem-rdocpkg:rpm/almalinux/rubygem-rexmlpkg:rpm/almalinux/rubygem-rsspkg:rpm/almalinux/rubygemspkg:rpm/almalinux/rubygems-develpkg:rpm/almalinux/rubygem-test-unitpkg:rpm/almalinux/rubygem-typeprofpkg:rpm/almalinux/rubygem-xmlrpcpkg:rpm/almalinux/ruby-irbpkg:rpm/almalinux/ruby-libspkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.5pkg:rpm/opensuse/ruby3.1&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.3&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.4&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby4.0&distro=openSUSE%20Tumbleweedpkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSSpkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.2pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.2
< 3.0.6-r0+ 87 more
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: >= 0.12.0, < 0.12.1
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.0.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.2.0-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 0.5.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 5.13.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.2.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.1.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 13.0.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 6.2.1.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.2.5-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.2.9-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.3.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.21.3-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 3.1.4-1.1
- (no CPE)range: < 3.2.2-1.1
- (no CPE)range: < 3.3.0-1.2
- (no CPE)range: < 3.4.1-1.1
- (no CPE)range: < 4.0.0~preview2-1.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
Patches
Vulnerability mechanics
References
31- github.com/advisories/GHSA-hv5j-3h9f-99c2ghsaADVISORY
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKA/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2T/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ/mitrevendor-advisory
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5Z/mitrevendor-advisory
- nvd.nist.gov/vuln/detail/CVE-2023-28755ghsaADVISORY
- security.gentoo.org/glsa/202401-27ghsavendor-advisoryWEB
- github.com/ruby/uri/releasesghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-28755.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2023/04/msg00033.htmlghsamailing-listWEB
- lists.debian.org/debian-lts-announce/2024/09/msg00000.htmlghsaWEB
- lists.debian.org/debian-lts-announce/2025/05/msg00015.htmlghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2TghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQghsaWEB
- lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5ZghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXFghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FFZANOQA4RYX7XCB42OO3P24DQKWHEKAghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/G76GZG3RAGYF4P75YY7J7TGYAU7Z5E2TghsaWEB
- lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/WMIOPLBAAM3FEQNAXA2L7BDKOGSVUT5ZghsaWEB
- security.netapp.com/advisory/ntap-20230526-0003ghsaWEB
- www.ruby-lang.org/en/downloads/releasesghsaWEB
- www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-releasedghsaWEB
- www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755ghsaWEB
- github.com/ruby/uri/releases/mitre
- security.netapp.com/advisory/ntap-20230526-0003/mitre
- www.ruby-lang.org/en/downloads/releases/mitre
- www.ruby-lang.org/en/news/2022/12/25/ruby-3-2-0-released/mitre
- www.ruby-lang.org/en/news/2023/03/28/redos-in-uri-cve-2023-28755/mitre
News mentions
0No linked articles in our index yet.