GHSA-mhwm-jh88-3gjf
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mhwm-jh88-3gjf
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-mhwm-jh88-3gjf/GHSA-mhwm-jh88-3gjf.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-mhwm-jh88-3gjf
- Aliases
- Related
- Published
- 2025-03-03T22:05:08Z
- Modified
- 2025-03-04T16:59:33.219250Z
- Severity
-
- 4.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L CVSS Calculator
- 6.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
- Details
-
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.
Details
The regular expression used in
CGI::Util#escapeElementis vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability.
- Database specific
{ "nvd_published_at": "2025-03-04T00:15:31Z", "cwe_ids": [ "CWE-1333" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-03-03T22:05:08Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2025-27220
- https://github.com/ruby/cgi/pull/52
- https://github.com/ruby/cgi/pull/53
- https://github.com/ruby/cgi/pull/54
- https://hackerone.com/reports/2890322
- https://github.com/ruby/cgi
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml
- https://www.cve.org/CVERecord?id=CVE-2025-27220
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories