Regular Expression Denial of Service in git-urls by 6en6ar
CVE-2023-46402

7.5HIGH

Key Information:

Vendor: Git-urls Project
Status: Git-urls
Vendor: CVE Published:; 18 November 2023

Summary

The git-urls package, version 1.0.0, is susceptible to a Regular Expression Denial of Service (ReDOS) attack. This vulnerability arises from poorly constructed regular expressions in urls.go, which can cause excessive backtracking and lead to performance degradation. Attackers can exploit this vulnerability to cause denial-of-service conditions, impairing the functionality of applications that depend on this library. It is crucial for developers using git-urls to update their libraries and adopt best practices in regex implementation to mitigate this risk.

References

https://gist.github.com/6en6ar/7c2424c93e7fbf2b6fc44e7fb9...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Nov 18, 2023
Vulnerability Reserved
Oct 23, 2023