CVE-2023-46402
Description
git-urls 1.0.0 allows ReDOS (Regular Expression Denial of Service) in urls.go.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
git-urls 1.0.0 contains a ReDoS vulnerability in its URL parsing regex, allowing denial of service via crafted long inputs.
Vulnerability
Analysis
The git-urls package version 1.0.0 contains a Regular Expression Denial of Service (ReDoS) vulnerability in its urls.go file. The vulnerable regular expression on line 35 is used to parse SCP-style git URLs. Due to the regex's complexity, providing a crafted long string as the directory path can cause catastrophic backtracking, leading to excessive CPU consumption [1][2].
Exploitation
An attacker can exploit this vulnerability without authentication by sending a specially crafted URL to any service that uses the git-urls library to parse user-supplied git URLs. The proof of concept demonstrates that a payload of repeated "/" characters (e.g., 19 million repetitions) can cause a delay of approximately 7 seconds on a typical system [2]. The attack vector is remote, requiring only that the target application processes the attacker-controlled input through ParseScp or similar functions.
Impact
The primary impact is a denial of service condition. By sending a single malicious URL, an attacker can cause the targeted application to hang or become unresponsive for a significant duration. If multiple such requests are made, the service may become completely unavailable. The vulnerability does not lead to code execution or data leakage [1].
Mitigation
As of the publication date, the maintainer has not released a fix for this vulnerability [2][3]. Users are advised to apply input validation to limit the length of URL components before parsing, or to switch to an alternative, maintained git URL parsing library. The vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/whilp/git-urlsGo | <= 1.0.1 | — |
Affected products
60- git-urls/git-urlsdescription
- osv-coords59 versionspkg:apk/chainguard/argo-cd-2.7pkg:apk/chainguard/argo-cd-2.7-compatpkg:apk/chainguard/argo-cd-2.7-repo-serverpkg:apk/chainguard/argo-cd-2.8pkg:apk/chainguard/argo-cd-2.8-compatpkg:apk/chainguard/argo-cd-2.8-repo-serverpkg:apk/chainguard/argo-cd-2.9pkg:apk/chainguard/argo-cd-2.9-compatpkg:apk/chainguard/argo-cd-2.9-repo-serverpkg:apk/chainguard/argo-eventspkg:apk/chainguard/argo-events-compatpkg:apk/chainguard/argo-events-fipspkg:apk/chainguard/argo-events-fips-compatpkg:apk/chainguard/argo-workflow-clipkg:apk/chainguard/argo-workflow-controllerpkg:apk/chainguard/argo-workflow-controller-compatpkg:apk/chainguard/argo-workflow-executorpkg:apk/chainguard/argo-workflow-executor-compatpkg:apk/chainguard/argo-workflowspkg:apk/chainguard/argo-workflows-known-hostspkg:apk/chainguard/argo-workflows-uipkg:apk/chainguard/flux-notification-controllerpkg:apk/chainguard/flux-notification-controller-0pkg:apk/chainguard/flux-notification-controller-0.37pkg:apk/chainguard/flux-notification-controller-bitnami-compatpkg:apk/chainguard/flux-notification-controller-iamguarded-compatpkg:apk/chainguard/melangepkg:apk/chainguard/melange-microvm-initpkg:apk/chainguard/pulumi-kubernetes-operatorpkg:apk/chainguard/snyk-clipkg:apk/chainguard/taskpkg:apk/wolfi/argo-cd-2.7pkg:apk/wolfi/argo-cd-2.7-compatpkg:apk/wolfi/argo-cd-2.7-repo-serverpkg:apk/wolfi/argo-cd-2.8pkg:apk/wolfi/argo-cd-2.8-compatpkg:apk/wolfi/argo-cd-2.8-repo-serverpkg:apk/wolfi/argo-cd-2.9pkg:apk/wolfi/argo-cd-2.9-compatpkg:apk/wolfi/argo-cd-2.9-repo-serverpkg:apk/wolfi/argo-eventspkg:apk/wolfi/argo-events-compatpkg:apk/wolfi/argo-workflow-clipkg:apk/wolfi/argo-workflow-controllerpkg:apk/wolfi/argo-workflow-controller-compatpkg:apk/wolfi/argo-workflow-executorpkg:apk/wolfi/argo-workflow-executor-compatpkg:apk/wolfi/argo-workflowspkg:apk/wolfi/argo-workflows-known-hostspkg:apk/wolfi/argo-workflows-uipkg:apk/wolfi/flux-notification-controllerpkg:apk/wolfi/flux-notification-controller-bitnami-compatpkg:apk/wolfi/flux-notification-controller-iamguarded-compatpkg:apk/wolfi/melangepkg:apk/wolfi/melange-microvm-initpkg:apk/wolfi/pulumi-kubernetes-operatorpkg:apk/wolfi/snyk-clipkg:apk/wolfi/taskpkg:golang/github.com/whilp/git-urls
< 2.7.15-r2+ 58 more
- (no CPE)range: < 2.7.15-r2
- (no CPE)range: < 2.7.15-r2
- (no CPE)range: < 2.7.15-r2
- (no CPE)range: < 2.8.7-r2
- (no CPE)range: < 2.8.7-r2
- (no CPE)range: < 2.8.7-r2
- (no CPE)range: < 2.9.3-r1
- (no CPE)range: < 2.9.3-r1
- (no CPE)range: < 2.9.3-r1
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 1.1.0-r6
- (no CPE)range: < 0.33.0-r4
- (no CPE)range: < 0.29.0-r4
- (no CPE)range: < 1.1.0-r6
- (no CPE)range: < 1.1.0-r6
- (no CPE)range: < 0.5.3-r1
- (no CPE)range: < 0.5.3-r1
- (no CPE)range: < 1.14.0-r1
- (no CPE)range: < 1.1297.1-r1
- (no CPE)range: < 3.40.1-r0
- (no CPE)range: < 2.7.15-r2
- (no CPE)range: < 2.7.15-r2
- (no CPE)range: < 2.7.15-r2
- (no CPE)range: < 2.8.7-r2
- (no CPE)range: < 2.8.7-r2
- (no CPE)range: < 2.8.7-r2
- (no CPE)range: < 2.9.3-r1
- (no CPE)range: < 2.9.3-r1
- (no CPE)range: < 2.9.3-r1
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 1.9.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 3.5.2-r1
- (no CPE)range: < 1.1.0-r6
- (no CPE)range: < 1.1.0-r6
- (no CPE)range: < 1.1.0-r6
- (no CPE)range: < 0.5.3-r1
- (no CPE)range: < 0.5.3-r1
- (no CPE)range: < 1.14.0-r1
- (no CPE)range: < 1.1297.1-r1
- (no CPE)range: < 3.40.1-r0
- (no CPE)range: <= 1.0.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3News mentions
0No linked articles in our index yet.