High severityNVD Advisory· Published Mar 31, 2023· Updated Nov 4, 2025

CVE-2023-28756

Description

A ReDoS issue was discovered in the Time component through 0.2.1 in Ruby through 3.2.1. The Time parser mishandles invalid URLs that have specific characters. It causes an increase in execution time for parsing strings to Time objects. The fixed versions are 0.1.1 and 0.2.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A ReDoS vulnerability in Ruby's Time component allows attackers to cause denial of service by crafting invalid URLs that trigger excessive CPU consumption during string parsing.

Description

A ReDoS (Regular Expression Denial of Service) vulnerability exists in the Time component of Ruby, affecting versions up to 0.2.1 of the Time gem and Ruby versions through 3.2.1. The root cause is that the Time parser mishandles invalid URLs containing specific characters, leading to catastrophic backtracking in the regular expression engine. This results in a disproportionate increase in execution time when parsing such strings into Time objects [2][4].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted string that, when parsed by an application using the Time component, causes the parser to consume excessive CPU resources. The attack requires no authentication if the application parses user-supplied strings, making it a low-complexity vector for denial of service [2].

Impact

Successful exploitation leads to a denial of service condition, where the affected Ruby process becomes unresponsive due to high CPU usage. This can degrade or completely disrupt the availability of the application [2].

Mitigation

The vulnerability is fixed in Time gem versions 0.1.1 and 0.2.2. Users should update the Time gem to one of these versions or upgrade Ruby to a release that incorporates the fix. No workarounds are documented [2][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
timeRubyGems	>= 0.2.0, < 0.2.2	0.2.2
timeRubyGems	< 0.1.1	0.1.1

Affected products

Ruby/Rubydescription
osv-coords85 versions
pkg:apk/chainguard/ruby-3.0 pkg:apk/chainguard/ruby-3.0-dev pkg:apk/chainguard/ruby-3.0-doc pkg:apk/chainguard/ruby-3.1 pkg:apk/chainguard/ruby-3.1-base pkg:apk/chainguard/ruby-3.1-base-dev pkg:apk/chainguard/ruby-3.1-dev pkg:apk/chainguard/ruby-3.1-doc pkg:apk/chainguard/ruby-3.2 pkg:apk/chainguard/ruby-3.2-base pkg:apk/chainguard/ruby-3.2-base-dev pkg:apk/chainguard/ruby-3.2-dev pkg:apk/chainguard/ruby-3.2-doc pkg:apk/wolfi/ruby-3.0 pkg:apk/wolfi/ruby-3.0-dev pkg:apk/wolfi/ruby-3.0-doc pkg:apk/wolfi/ruby-3.1 pkg:apk/wolfi/ruby-3.1-base pkg:apk/wolfi/ruby-3.1-base-dev pkg:apk/wolfi/ruby-3.1-dev pkg:apk/wolfi/ruby-3.1-doc pkg:apk/wolfi/ruby-3.2 pkg:apk/wolfi/ruby-3.2-base pkg:apk/wolfi/ruby-3.2-base-dev pkg:apk/wolfi/ruby-3.2-dev pkg:apk/wolfi/ruby-3.2-doc pkg:bitnami/ruby pkg:bitnami/ruby-min pkg:gem/time pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-bundled-gems pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bson pkg:rpm/almalinux/rubygem-bson-doc pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-bundler-doc pkg:rpm/almalinux/rubygem-did_you_mean pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mongo pkg:rpm/almalinux/rubygem-mongo-doc pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-net-telnet pkg:rpm/almalinux/rubygem-openssl pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rbs pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygem-rexml pkg:rpm/almalinux/rubygem-rss pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-typeprof pkg:rpm/almalinux/rubygem-xmlrpc pkg:rpm/almalinux/ruby-irb pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.4 pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP4 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP1-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP2-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.2 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.2
< 3.0.6-r0+ 84 more
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.0.6-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.1.4-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 3.2.2-r0
- (no CPE)range: < 2.7.8
- (no CPE)range: < 2.7.8
- (no CPE)range: >= 0.2.0, < 0.2.2
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.4-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.4.0-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.0.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 4.8.1-1.module_el8.5.0+117+35d1289b
- (no CPE)range: < 4.8.1-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.2.24-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.16.1-4.module_el8.5.0+2625+ec418553
- (no CPE)range: < 1.2.0-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 0.5.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 5.13.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 2.11.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.5.3-1.module_el8.4.0+2399+4e3a532a
- (no CPE)range: < 0.5.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 0.2.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.1.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.2.3-1.module_el8.3.0+6147+d0dfc1e4
- (no CPE)range: < 1.1.7-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 13.0.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.7.0-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 6.2.1.1-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.2.5-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.2.9-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.1.6-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 3.3.4-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 0.21.3-142.module_el8.9.0+3746+91b8233a
- (no CPE)range: < 0.3.0-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-111.module_el8.9.0+3635+c6f99506
- (no CPE)range: < 2.7.8-139.module_el8.8.0+3578+2b4b06da
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1
- (no CPE)range: < 2.5.9-150000.4.29.1

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000