CVE-2023-28628
📋 TL;DR
This vulnerability in the lambdaisland/uri library allows attackers to craft malicious URLs that cause incorrect authority parsing, potentially bypassing host-based security controls. Applications using affected versions of this Clojure/ClojureScript URI library for URL validation or access control are at risk. The issue stems from improper handling of backslash characters in usernames within the authority regex.
💻 Affected Systems
- lambdaisland/uri library
📦 What is this software?
Uri by Lambdaisland
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass authentication/authorization controls, access restricted systems, or redirect users to malicious sites by exploiting incorrect host parsing in security-critical applications.
Likely Case
Bypass of URL validation or host-based access controls in applications that rely on this library for parsing user-supplied URLs.
If Mitigated
Limited impact if applications implement additional validation layers, network segmentation, or don't use the library for security-critical functions.
🎯 Exploit Status
Exploitation requires the application to parse attacker-controlled URLs. The vulnerability is simple to trigger with crafted URLs containing backslashes in usernames.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.14.120
Vendor Advisory: https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
Restart Required: Yes
Instructions:
1. Update project.clj or deps.edn to use lambdaisland/uri version 1.14.120 or later. 2. Run dependency update command (lein deps or clj -X:deps prep). 3. Restart the application. 4. Test URL parsing functionality.
🔧 Temporary Workarounds
Input validation filter
allImplement custom validation to reject URLs with backslashes in usernames before passing to the library
;; Clojure example: (when (re-find #"\\\\" username) (throw (ex-info "Invalid username" {})))
🧯 If You Can't Patch
- Implement strict input validation to reject URLs with backslash characters in usernames
- Add secondary host validation layer independent of the lambdaisland/uri library
🔍 How to Verify
Check if Vulnerable:
Check project dependencies for lambdaisland/uri version < 1.14.120. Test with URL: https://example.com\\@google.com - if parsed host is google.com instead of example.com, vulnerable.Check Version:
clj -Stree | grep lambdaisland/uri or check project.clj/deps.ednVerify Fix Applied:
After update, test with same malicious URL - should correctly parse host as example.com. Verify version >= 1.14.120 in dependencies.📡 Detection & Monitoring
Log Indicators:
- URL parsing errors
- Unexpected host/authority values in logs
- Failed authentication attempts with unusual URLs
Network Indicators:
- HTTP requests with backslashes in usernames (user@host format)
- URLs with encoded backslashes (%5C)
SIEM Query:
url.path:"\\\\@" OR http.uri:"\\\\@" OR user_agent:"\\\\@"🔗 References
- https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820
- https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
- https://github.com/lambdaisland/uri/commit/f46db3e84846f79e14bfee0101d9c7a872321820
- https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
