CVE-2023-22799
Denial of Service vulnerability in globalid (RubyGems)
What is CVE-2023-22799 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) in the GlobalID gem's model name parsing. It allows carefully crafted input to consume excessive processing time, leading to a denial of service. The vulnerability is relatively easy to exploit, requiring only specific input to trigger the resource exhaustion.
Affected Software
Technical Details
The vulnerability resides in the model name parsing section of the GlobalID gem, specifically within its use of regular expressions. A specially crafted input string, designed to trigger worst-case scenario backtracking in the regular expression engine, can cause the parsing operation to take an unexpectedly long time. This prolonged processing of a single request can exhaust system resources, making the application unresponsive and leading to a denial of service.
What is the Impact of CVE-2023-22799?
Successful exploitation may allow attackers to degrade application performance, render services unavailable, or cause a complete shutdown of the affected system, disrupting legitimate user access and business operations.
What is the Exploitability of CVE-2023-22799?
Exploitation of this ReDoS vulnerability is of low complexity. It requires no authentication and no special privileges; an attacker simply needs to be able to submit specially crafted input to the application's model name parsing component. This is a remote vulnerability, as the attack can be launched by sending malicious data over the network. The presence of a vulnerable regular expression and its exposure to untrusted input are the key factors increasing exploitation likelihood.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-22799?
Available Upgrade Options
- globalid
- >=0.2.1, <1.0.1 → Upgrade to 1.0.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
- https://github.com/rails/globalid/releases/tag/v1.0.1
- https://github.com/rails/globalid/commit/4a75ecbfd73a8e92e32a1723b81a17e3136bd8fc
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/globalid/CVE-2023-22799.yml
- https://osv.dev/vulnerability/GHSA-23c2-gwp5-pxw9
- https://nvd.nist.gov/vuln/detail/CVE-2023-22799
- https://github.com/rails/globalid
- https://discuss.rubyonrails.org/t/cve-2023-22799-possible-redos-based-dos-vulnerability-in-globalid/82127
What are Similar Vulnerabilities to CVE-2023-22799?
Similar Vulnerabilities: CVE-2024-25126 , CVE-2025-61921 , CVE-2020-8186 , CVE-2020-5267 , CVE-2023-0309
