CVE-2023-33290

Vulnerability

Overview The git-url-parse crate for Rust, through version 0.4.4, contains a Regular Expression Denial of Service (ReDoS) vulnerability. This issue is triggered by a crafted URL passed to the normalize_url function in lib.rs, as noted in the official CVE description [1]. The flaw is similar to CVE-2023-32758 found in Python, indicating a pattern of regex-inefficiency that can be exploited to cause excessive backtracking [1].

Exploitation

An attacker can exploit this vulnerability by providing a specially crafted URL string to any application or service that uses the git-url-parse crate to parse or normalize Git URLs. No authentication is required; the exploit can be delivered remotely (e.g., via an HTTP request or any input channel that supplies a URL to the parser). The normalize_url function uses a regex with a polynomial worst-case time complexity, and a malicious input can cause the regex engine to backtrack exponentially, consuming CPU resources [1][3].

Impact

Successful exploitation leads to a denial of service condition. The affected application may become unresponsive or crash due to CPU exhaustion, potentially impacting the availability of the entire service. This is a significant flaw for any Rust application that processes untrusted Git URLs, such as CI/CD pipelines, repository management tools, or version control integrations.

Mitigation

The vulnerability affects git-url-parse versions up to and including 0.4.4 [1]. Users should update to the latest patched version if available (the repository may have released a fix after the disclosure). As a workaround, applications can sanitize or limit the length/complexity of URLs before passing them to the parser. The CVE has been published and tracked, and developers are advised to monitor the crate's repository for a patched release [2].