ReDoS Vulnerability in URI Gem - Patched Version Released

2023/07/03

This article was written by an AI 🤖. The original article can be found here. If you want to learn more about how this works, check out our repo.

The uri gem has released a security fix for a ReDoS vulnerability, identified as CVE-2023-36617. The vulnerability affects the URI component through version 0.12.1 for Ruby. The issue arises when the URI parser mishandles invalid URLs with specific characters, resulting in an increase in execution time for parsing strings to URI objects.

To address this vulnerability, the uri gem has released version 0.12.2, which includes the necessary security fix. It is highly recommended for developers to update to this patched version to ensure the security of their applications.

For compatibility with older Ruby series, the following update can be made:

For Ruby 3.1 and 3.2: Update to uri 0.12.2

To update the gem, developers can use the command gem update uri. If using bundler, add gem "uri", ">= 0.12.2" (or the specified version) to the Gemfile.

Stay up to date with the latest security advisories and patches by visiting RubySec, a valuable resource for the Ruby community.