Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ajtx-8w3u-rkae
Vulnerability ID VCID-ajtx-8w3u-rkae
Aliases CVE-2023-36617
GHSA-hww2-5g85-429m
Summary URI gem has ReDoS vulnerability A ReDoS issue was discovered in the URI component before 0.12.2 for Ruby. The URI parser mishandles invalid URLs that have specific characters. There is an increase in execution time for parsing strings to URI objects with `rfc2396_parser.rb` and `rfc3986_parser.rb`. NOTE: this issue exists becuse of an incomplete fix for CVE-2023-28755. Version 0.10.3 is also a fixed version. [The Ruby advisory recommends](https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617/) updating the uri gem to 0.12.2. In order to ensure compatibility with the bundled version in older Ruby series, you may update as follows instead: - For Ruby 3.0: Update to uri 0.10.3 - For Ruby 3.1 and 3.2: Update to uri 0.12.2. You can use gem update uri to update it. If you are using bundler, please add gem `uri`, `>= 0.12.2` (or other version mentioned above) to your Gemfile.
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1333 Inefficient Regular Expression Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-185 Incorrect Regular Expression
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36617.json
epss 0.00906 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00906 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00906 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00906 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
epss 0.00983 https://api.first.org/data/v1/epss?cve=CVE-2023-36617
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hww2-5g85-429m
cvssv3.1 5.3 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
cvssv3.1 5.3 https://github.com/ruby/uri
generic_textual MODERATE https://github.com/ruby/uri
cvssv3.1 5.3 https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
generic_textual MODERATE https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
cvssv3.1 5.3 https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
generic_textual MODERATE https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
cvssv3.1 5.3 https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
generic_textual MODERATE https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
cvssv3.1 5.3 https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
generic_textual MODERATE https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
cvssv3.1 5.3 https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
generic_textual MODERATE https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
cvssv3.1 5.3 https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
generic_textual MODERATE https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
cvssv3.1 5.3 https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
generic_textual MODERATE https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
cvssv3.1 5.3 https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
generic_textual MODERATE https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
cvssv3.1 5.3 https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
generic_textual MODERATE https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
cvssv3.1 5.3 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
generic_textual MODERATE https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2023-36617
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2023-36617
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20230725-0002
generic_textual MODERATE https://security.netapp.com/advisory/ntap-20230725-0002
cvssv3 5.3 https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
cvssv3.1 5.3 https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
generic_textual MODERATE https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36617.json
https://api.first.org/data/v1/epss?cve=CVE-2023-36617
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-36617
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/ruby/uri
https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
https://security.netapp.com/advisory/ntap-20230725-0002
https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
2218614 https://bugzilla.redhat.com/show_bug.cgi?id=2218614
CVE-2023-36617 https://nvd.nist.gov/vuln/detail/CVE-2023-36617
CVE-2023-36617.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
GHSA-hww2-5g85-429m https://github.com/advisories/GHSA-hww2-5g85-429m
RHSA-2024:1431 https://access.redhat.com/errata/RHSA-2024:1431
RHSA-2024:1576 https://access.redhat.com/errata/RHSA-2024:1576
RHSA-2024:4499 https://access.redhat.com/errata/RHSA-2024:4499
USN-6219-1 https://usn.ubuntu.com/6219-1/
USN-7747-1 https://usn.ubuntu.com/7747-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-36617.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2023-36617.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/05b1e7d026b886e65a60ee35625229da9ec220bb
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/38bf797c488bcb4a37fb322bfa84977981863ec6
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/3cd938df20db26c9439e9f681aadfb9bbeb6d1c0
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/4d02315181d8a485496f1bb107a6ab51d6f3a35f
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/70794abc162bb15bb934713b5669713d6700d35c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/7e33934c91b7f8f3ea7b7a4258b468e19f636bc3
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/9a8e0cc03da964054c2a4ea26b59c53c3bae4921
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/ruby/uri/commit/ba36c8a3ecad8c16dd3e60a6da9abd768206c8fa
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2024/09/msg00000.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/QA6XUKUY7B5OLNQBLHOT43UW7C5NIOQQ
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/27LUWREIFTP3MQAW7QE4PJM4DPAQJWXF
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://nvd.nist.gov/vuln/detail/CVE-2023-36617
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20230725-0002
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://www.ruby-lang.org/en/news/2023/06/29/redos-in-uri-CVE-2023-36617
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.75767
EPSS Score 0.00906
Published At April 21, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:28.996137+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/uri/CVE-2023-36617.yml 38.0.0