Addressable Regular Expression Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the Addressable library, specifically in versions 2.3.0 prior to 2.9.0. The issue arises within the URI template implementation, where certain templates generate regular expressions susceptible to catastrophic backtracking. This vulnerability can be exploited by crafting a malicious URI that, when processed by the vulnerable regular expression, leads to excessive backtracking and resource consumption, causing a denial-of-service condition. The vulnerability is more easily exploitable on MRI Ruby versions prior to 3.2, as well as on all versions of JRuby and TruffleRuby.

Impact

Exploitation of this vulnerability leads to catastrophic backtracking in regular expression matching, causing uncontrolled resource consumption and a denial-of-service condition.

Remediation

Users can upgrade to Addressable version 2.9.0 or later. If using MRI Ruby, upgrade to version 3.2 or later, as this version includes a memoization feature that prevents catastrophic backtracking for certain vulnerable URI template patterns. For applications using JRuby or TruffleRuby, additional steps may be needed, as these runtimes do not benefit from the same protections.