Skip to content

git-url-parse crate vulnerable to Regular Expression Denial of Service

Low severity GitHub Reviewed Published Jun 12, 2023 to the GitHub Advisory Database • Updated Nov 9, 2023

Package

cargo git-url-parse (Rust)

Affected versions

<= 0.4.4

Patched versions

None

Description

The git-url-parse crate through 0.4.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to normalize_url in lib.rs, a similar issue to CVE-2023-32758 (Python).

References

Published by the National Vulnerability Database Jun 12, 2023
Published to the GitHub Advisory Database Jun 12, 2023
Reviewed Jun 12, 2023
Last updated Nov 9, 2023

Severity

Low

EPSS score

Exploit Prediction Scoring System (EPSS)

This score estimates the probability of this vulnerability being exploited within the next 30 days. Data provided by FIRST.
(20th percentile)

Weaknesses

Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. Learn more on MITRE.

CVE ID

CVE-2023-33290

GHSA ID

GHSA-qfh9-8p57-mjjj

Source code

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.