CVE-2023-46402
Denial of Service vulnerability in git-urls (Go)

Denial of Service No known exploit Fixable By Resolved Security

What is CVE-2023-46402 About?

The git-urls version 1.0.1 Go package is vulnerable to Regular Expression Denial of Service (ReDOS). This allows an attacker to cause the application to become unresponsive, leading to a denial of service. Exploitation is typically easy by providing specially crafted input.

Affected Software

github.com/whilp/git-urls <=1.0.1

Technical Details

The vulnerability exists in the git-urls Go package (version 1.0.1) due to an inefficiently constructed regular expression. When processing certain malformed or complex input strings, the regex engine can enter a state of 'catastrophic backtracking,' where the time taken to evaluate the expression grows exponentially with the input string length. An attacker can craft a specific input string that, when processed by the vulnerable regular expression within the git-urls package, consumes excessive CPU resources and time, causing the application using the package to hang or crash, resulting in a Denial of Service (DoS).

What is the Impact of CVE-2023-46402?

Successful exploitation may allow attackers to cause the affected service or application to become unresponsive or crash, leading to a denial of service and disrupting its availability.

What is the Exploitability of CVE-2023-46402?

Exploitation of this vulnerability is generally of low complexity. An attacker needs to provide a specially crafted input string that will be processed by the vulnerable regular expression. No authentication or elevated privileges are typically required, as the vulnerability resides in the input processing logic. This can be a remote exploitation if the untrusted input is processed via a network service or a local exploitation if the input comes from a local file or process. The primary risk factor is the public exposure of any service that processes external input using the vulnerable git-urls package.

What are the Known Public Exploits?

PoC Author Link Commentary
No known exploits

What are the Available Fixes for CVE-2023-46402?

A Fix by Resolved Security Exists!
Learn how our approach backports security patches directly to your dependencies.

About the Fix from Resolved Security

The patch limits the length of incoming SCP-like URLs to 1000 characters and rejects any longer input before executing the regular expression. This prevents attackers from exploiting a regular expression denial of service (ReDoS) vulnerability (CVE-2023-46402) by submitting extremely long malicious input that would otherwise cause excessive CPU usage during regex processing. The patch also refines the regex for allowed username characters, but the core fix is the input length check, which neutralizes the DoS vector.

Available Upgrade Options

  • No fixes available

Struggling with dependency upgrades?

See how Resolved Security's drop-in replacements make it simple.

Book a demo

Additional Resources

What are Similar Vulnerabilities to CVE-2023-46402?

Similar Vulnerabilities: CVE-2023-28155 , CVE-2023-38035 , CVE-2022-24990 , CVE-2022-24434 , CVE-2021-42771

All Rights reserved 2025
Privacy Policy