Login Sign Up

CVE-2023-33289

7.5 HIGH
Denial of Service

📋 TL;DR

The urlnorm crate through version 0.1.4 for Rust is vulnerable to Regular Expression Denial of Service (ReDos) via specially crafted URLs. This allows attackers to cause excessive CPU consumption and service degradation. Any Rust application using this crate for URL normalization is affected.

💻 Affected Systems

Products:
  • urlnorm crate
Versions: 0.1.0 through 0.1.4
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects Rust applications that use the urlnorm crate for URL normalization. The supplier disputes the severity, claiming 'slow printing of URLs is not a CVE.'

📦 What is this software?

Urlnorm by Urlnorm Project

View all CVEs affecting Urlnorm →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to CPU exhaustion, leading to denial of service for all users and potential cascading failures in dependent systems.

🟠

Likely Case

Degraded performance and intermittent service disruptions when malicious URLs are processed, affecting availability but not data integrity.

🟢

If Mitigated

Minimal impact with proper input validation, rate limiting, and monitoring in place to detect and block malicious patterns.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept available in references. Exploitation requires sending crafted URLs to systems using the vulnerable crate.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 0.1.5 or later

Vendor Advisory: https://github.com/progscrape/urlnorm

Restart Required: Yes

Instructions:

1. Update Cargo.toml to specify urlnorm version '>=0.1.5'. 2. Run 'cargo update' to fetch the patched version. 3. Rebuild and redeploy your application.

🔧 Temporary Workarounds

Input Validation and Sanitization

all

Implement strict input validation to reject malformed URLs before they reach the urlnorm crate.

Rate Limiting

all

Apply rate limiting to URL processing endpoints to mitigate denial of service attempts.

🧯 If You Can't Patch

  • Implement Web Application Firewall (WAF) rules to block patterns known to trigger ReDos in the urlnorm crate.
  • Monitor CPU usage and implement automatic throttling or blocking when abnormal patterns are detected.

🔍 How to Verify

Check if Vulnerable:

Check Cargo.toml or Cargo.lock for urlnorm dependency version 0.1.0 to 0.1.4.

Check Version:

grep -E 'urlnorm\s*=' Cargo.toml || grep -A1 -B1 'urlnorm' Cargo.lock

Verify Fix Applied:

Verify that urlnorm version in Cargo.lock is 0.1.5 or later after running 'cargo update'.

📡 Detection & Monitoring

Log Indicators:

  • Unusually high CPU usage spikes correlated with URL processing requests
  • Increased request processing times for URL-related endpoints

Network Indicators:

  • High volume of requests with complex or malformed URL patterns to endpoints using urlnorm

SIEM Query:

source='application_logs' AND (message LIKE '%urlnorm%' OR message LIKE '%URL%processing%') AND cpu_usage > 90

📊 Metadata

CVE ID: CVE-2023-33289
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-1333
Published: June 21, 2023
Last Updated: March 8, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-33289, you might also want to check these:

CVE-2023-29487 9.1

This CVE describes a denial-of-service vulnerability in Heimdal Thor agent's Threat To Process Corre...

Same vulnerability type (CWE-1333)
CVE-2025-62484 8.1

A regular expression complexity vulnerability in Zoom Workplace Clients allows unauthenticated attac...

Same vulnerability type (CWE-1333)
CVE-2024-4148 7.5

A Regular Expression Denial of Service (ReDoS) vulnerability in lunary-ai/lunary version 1.2.10 allo...

Same vulnerability type (CWE-1333)