RubySec

Providing security resources for the Ruby community

CVE-2021-41817 (date): Regular Expression Denial of Service Vulnerability of Date Parsing Methods

ADVISORIES

GEM

date

SEVERITY

CVSS v3.x: 7.5 (High)

PATCHED VERSIONS

  • ~> 2.0.1
  • ~> 3.0.2
  • ~> 3.1.2
  • >= 3.2.1

DESCRIPTION

Date's parsing methods including Date.parse are using Regexps internally, some of which are vulnerable against regular expression denial of service. Applications and libraries that apply such methods to untrusted input may be affected.

The fix limits the input length up to 128 bytes by default instead of changing the regexps. This is because Date gem uses many Regexps and it is possible that there are still undiscovered vulnerable Regexps. For compatibility, it is allowed to remove the limitation by explicitly passing limit keywords as nil like Date.parse(str, limit: nil), but note that it may take a long time to parse.

Please update the date gem to version 3.2.1, 3.1.2, 3.0.2, and 2.0.1, or later. You can use gem update date to update it. If you are using bundler, please add gem "date", ">= 3.2.1" to your Gemfile.