CVE-2023-28628

Name of the Vulnerable Software and Affected Versions lambdaisland/uri versions prior to 1.14.120

Description The issue allows an attacker to send malicious URLs to be parsed by the lambdaisland/uri library, returning the wrong authority. This occurs because the authority-regex does not handle the backslash (``) character in the username correctly, leading to incorrect output. For example, a payload of https://example.com@google.com would return google.com as the host, when the correct host should be example.com. This may be abused to bypass host restrictions depending on how the library is used in an application.

Recommendations For versions prior to 1.14.120, users are advised to upgrade to version 1.14.120 or later to resolve the issue. At the moment, there is no information about other workarounds for this vulnerability.