Sporkmonger

Name of the Vulnerable Software and Affected Versions Addressable versions 2.3.0 through 2.8.9 Description Addressable, an alternative URI implementation for Ruby, contains a flaw in its URI template implementation. Templates utilizing the '*' (explode) modifier with any expansion operator (e.g., {foo*}, {+var*}, {#var*}, {/var*}, {.var*}, {;var*}, {?var*}, {&var*}) generate regular expressions susceptible to catastrophic backtracking when matched against crafted URIs. Similarly, templates with multiple variables using the '+' or '#' operators (e.g., {+v1,v2,v3}) can also lead to catastrophic backtracking due to the comma separator within the matched character class. This can result in uncontrolled resource consumption and denial of service. Recommendations Update to version 2.9.0 or later.

**Name of the Vulnerable Software and Affected Versions** Addressable versions 2.3.0 through 2.7.0 **Description** The issue is related to an uncontrolled resource consumption vulnerability in the Addressable library, which is an alternative implementation to the URI implementation in Ruby's standard library. This vulnerability can be exploited by a maliciously crafted template, leading to denial of service when matched against a URI. Typically, templates would not be read from untrusted user input, but previous security advisories have not cautioned against this practice. Users of the parsing capabilities in Addressable, but not the URI template capabilities, are unaffected. **Recommendations** For Addressable versions 2.3.0 through 2.7.0, update to version 2.8.0 to resolve the issue. As a temporary workaround, only create Template objects from trusted sources that have been validated not to produce catastrophic backtracking.