CVE-2023-36617 is a ReDoS vulnerability found in the URI component of Ruby before version 0.12.2. The vulnerability stems from the URI parser's handling of invalid URLs containing certain characters, which causes the regular expression engine to consume excessive CPU resources, significantly increasing execution time during parsing. This flaw exists due to an incomplete remediation of a previous vulnerability, CVE-2023-28755. The affected files include rfc2396_parser.rb and rfc3986_parser.rb, which implement URI parsing according to RFC 2396 and RFC 3986 standards. When maliciously crafted URLs are processed, the parser’s regex patterns enter pathological backtracking states, resulting in denial of service through resource exhaustion. Although no public exploits have been observed, the vulnerability poses a risk to any Ruby-based application or service that parses user-supplied URLs without proper input validation or patching. The issue affects all versions prior to 0.12.2, with 0.10.3 also noted as a fixed version. This vulnerability is particularly relevant for web applications, APIs, and services that rely on Ruby’s URI parsing for URL validation, routing, or processing.

For European organizations, the primary impact of CVE-2023-36617 is the potential for denial of service attacks against Ruby-based applications and services that parse URLs. This can lead to service outages, degraded performance, and increased operational costs due to resource exhaustion. Industries relying heavily on Ruby, such as fintech, e-commerce, and web hosting providers, may experience disruptions affecting customer-facing services. Additionally, denial of service conditions can be exploited as part of multi-vector attacks, increasing the risk of broader operational impacts. While the vulnerability does not directly compromise confidentiality or integrity, the availability impact can affect business continuity and reputation. Organizations with automated URL processing or those exposing APIs that accept URLs as input are particularly at risk. The absence of known exploits reduces immediate risk but does not eliminate the threat, especially as proof-of-concept exploits could emerge.

European organizations should immediately identify and inventory Ruby environments using the vulnerable URI component versions. Upgrading to Ruby URI component version 0.12.2 or 0.10.3 (whichever is applicable) is the most effective mitigation. Where immediate patching is not feasible, implement input validation and sanitization to reject malformed or suspicious URLs before parsing. Employ rate limiting and resource usage monitoring on services that parse URLs to detect and mitigate potential ReDoS attempts. Application-layer firewalls or web application firewalls (WAFs) can be configured to block or throttle requests containing suspicious URL patterns. Additionally, conduct code reviews and static analysis to identify other potential ReDoS vulnerabilities in regex usage. Maintain up-to-date threat intelligence to respond quickly if exploits emerge. Finally, incorporate this vulnerability into incident response plans to ensure rapid containment if exploitation occurs.