CVE-2023-33289: Withdrawn Advisory: urlnorm vulnerable to Regular Expression Denial of Service

June 21, 2023 (updated March 11, 2025)

Withdrawn Advisory

This advisory has been withdrawn because the security impact of the slow printing of URLs has been disputed. This link is maintained to preserve external references.

Original Description

The urlnorm crate through 0.1.4 for Rust allows Regular Expression Denial of Service (ReDos) via a crafted URL to lib.rs.

References

gist.github.com/6en6ar/b118888dc739e8979038f24c8ac33611
github.com/advisories/GHSA-fqhp-rhm6-8rrj
github.com/progscrape/urlnorm
lib.rs/crates/urlnorm
news.ycombinator.com/item?id=40435263
nvd.nist.gov/vuln/detail/CVE-2023-33289

Code Behaviors & Features

Detect and mitigate CVE-2023-33289 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →