CVE-2023-31606 (RedCloth): RedCloth Regular Expression Denial of Service issue

ADVISORIES

CVE-2023-31606 (NVD)
GHSA-qcm3-vfq5-wfr2
Vendor Advisory

GEM

RedCloth

SEVERITY

CVSS v3.x: 7.5 (High)

UNAFFECTED VERSIONS

< 4.0.0

PATCHED VERSIONS

>= 4.3.3

DESCRIPTION

A Regular Expression Denial of Service (ReDoS) issue was discovered in the "sanitize_html" function of RedCloth gem >= v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

https://nvd.nist.gov/vuln/detail/CVE-2023-31606
https://github.com/e23e/CVE-2023-31606#readme
https://github.com/jgarber/redcloth/issues/73
https://github.com/jgarber/redcloth/blob/v4.3.2/lib/redcloth/formatters/html.rb#L327
https://github.com/advisories/GHSA-qcm3-vfq5-wfr2
https://github.com/jgarber/redcloth/pull/75
https://github.com/jgarber/redcloth/blob/v4.3.3/lib/redcloth/formatters/html.rb#L327

RubySec