CVE-2023-28756 - How a Ruby Time Parser Bug Could Slow Down Your Apps (ReDoS Exploit Guide)

A dangerous Regular Expression Denial of Service (ReDoS) vulnerability was found in Ruby’s Time component, affecting apps from Ruby 2.x up to 3.2.1. This issue, tracked as CVE-2023-28756, happens when the Time parser gets tripped up by bad input—especially invalid URLs containing certain characters—causing your server to waste lots of CPU cycles. Below, I'll walk you through what the bug is, how it can be abused, and what you should do to fix it.

Reference:

- NVD Entry
   - GitHub PR with the fix
   - Ruby Advisory

What is ReDoS, and Why Should You Care?

Regular Expression Denial of Service (ReDoS) is an attack that abuses slow regex parsing. By sending a carefully crafted string, an attacker can force a regex engine to chew through the input for a long time, jamming the CPU and slowing your app. It doesn't require technical trickery—just a long silly string in the right place.

The Ruby Time Vulnerability Explained

Ruby’s Time.parse method tries to figure out time from all sorts of string inputs. But when it stumbles into strings that mix special characters (like those found in bad URLs), its internal regexes get confused, causing exponential growth in execution time!

Example of Bad String:  
A URL that has some strange percent escapes and random text can make the parser sweat.

Here’s a Code Snippet That Triggers the Problem

require 'time'

str = "2023-04-05T12:34:56%ZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZZexample.com"
puts Time.parse(str)

Try this on Ruby <= 3.2.1 or the Time gem <= .2.1 (if Time gem is loaded)
You’ll notice the program hangs and devours your CPU for much longer than it should.

How Does the Exploit Work?

- The Time parser expects well-formed tokens. It tries to match ‘percent escapes’ (like %20) using a slow regex.

An attacker sends a huge string stuffed with deliberate garbage, such as %ZZZZZZZZZZZZ....

- The regex engine backtracks over each ‘Z’, making each extra Z add more work, causing a long delay.
- If the parser sits in a server route or background job, a wave of such requests can drag your app’s response down to a crawl.

How Severe Is CVE-2023-28756?

- Remote Exploit: Yes, if you accept times or timestamps from users (think APIs, forms, logs, etc.).

Impact: No code execution or data theft, but complete DOS (Denial of Service) is very likely.

- Easy to Abuse: Anyone who can send data into your time parsing code can exploit it with just a POST or GET.

Run

require 'time'
puts Time.parse('2023-08-01T00:00:00%zzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzzattack.com')

How to Fix CVE-2023-28756 (Patch It!)

Ruby and the Time gem fixed this by tightening the regex and checking input more safely.  
Just upgrade!

Example Gemfile

gem "time", ">= .2.2"

Then run

bundle update time

Limit input length for any untrusted time strings.

- Reject odd characters in date/time fields before parsing.

References & Further Reading

- National Vulnerability Database (NVD) CVE-2023-28756
- Ruby Advisory: ReDoS in Time
- github.com/ruby/time/pull/56 (security fix)

Final Thoughts

Don’t overlook seemingly boring bugs like ReDoS! CVE-2023-28756 can let anyone slam your Ruby apps into the ground using nothing but a weird time string. Good news: Fixing it is quick.  
Upgrade your Ruby or Time gem now, and stay safe.

Timeline

Published on: 03/31/2023 04:15:00 UTC
Last modified on: 04/30/2023 23:15:00 UTC