CVE-2024-43380 – CVE-2024-43380 is a denial-of-service vulnerabi... (How to Fix)

Q: What is the severity of CVE-2024-43380?

CVE-2024-43380 has a CVSS score of 5.3 (MEDIUM). CVE-2024-43380 is a denial-of-service vulnerability in fugit's natural language time parser. The parser accepts arbitrarily long input strings without validation, causing indefinite thread blocking during parsing. Applications using fugit without input length validation are affected.

📋 TL;DR

CVE-2024-43380 is a denial-of-service vulnerability in fugit's natural language time parser. The parser accepts arbitrarily long input strings without validation, causing indefinite thread blocking during parsing. Applications using fugit without input length validation are affected.

💻 Affected Systems

Products:

fugit
flor
any application using fugit for natural language time parsing

Versions: All versions before 1.11.1

Operating Systems: All platforms running Ruby applications with fugit

Default Config Vulnerable: ⚠️ Yes

Notes: Only applications using the natural language parser functionality are affected. Applications must accept user input for parsing without length validation.

📦 What is this software?

Fugit by Floraison

View all CVEs affecting Fugit →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service unavailability due to thread exhaustion from maliciously crafted long input strings, leading to denial of service.

🟠

Likely Case

Degraded performance or temporary service disruption when processing unusually long natural language time strings.

🟢

If Mitigated

Minimal impact with input validation limiting string length before parsing.

🌐 Internet-Facing: MEDIUM - Exploitable via any endpoint accepting user input for fugit parsing, but requires specific input format.

🏢 Internal Only: LOW - Requires internal users to submit malicious input, which is less likely.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires submitting a specially crafted long string to the natural language parser. No authentication needed if parser accepts external input.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.11.1

Vendor Advisory: https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g

Restart Required: Yes

Instructions:

1. Update fugit gem to version 1.11.1 or later. 2. Run 'bundle update fugit' if using Bundler. 3. Restart the application server. 4. Verify the update with 'bundle show fugit' or checking Gemfile.lock.

🔧 Temporary Workarounds

Input length validation

all

Add input validation to limit string length before passing to fugit parser

# Ruby example: validate input length before parsing
if time_string.length > 100
  raise 'Input too long'
end
Fugit.parse_nat(time_string)

🧯 If You Can't Patch

Implement strict input validation limiting natural language time strings to reasonable lengths (e.g., < 100 characters)
Disable natural language parsing functionality if not essential, or restrict to trusted/internal sources only

🔍 How to Verify

Check if Vulnerable:

Check fugit gem version with 'gem list fugit' or 'bundle show fugit'. If version is < 1.11.1 and application uses natural language parsing with user input, it's vulnerable.

Check Version:

gem list fugit | grep fugit or bundle show fugit

Verify Fix Applied:

After updating, test with a long input string to ensure parser returns promptly or rejects the input. Verify version is ≥ 1.11.1.

📡 Detection & Monitoring

Log Indicators:

Unusually long processing times for time parsing operations
Thread blocking warnings
Increased CPU usage without corresponding request completion

Network Indicators:

Timeouts on endpoints accepting time string inputs
Unusually long request/response times for specific API calls

SIEM Query:

source="application.log" AND ("fugit" OR "parse_nat") AND duration > 10s

📊 Metadata

CVE ID: CVE-2024-43380

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

CWE: CWE-400

Published: August 19, 2024

Last Updated: August 21, 2024

🔗 References

https://github.com/floraison/fugit/commit/ad2c1c9c737213d585fff0b51c927d178b2c05a5 Patch
https://github.com/floraison/fugit/issues/104 Issue Tracking,Patch
https://github.com/floraison/fugit/security/advisories/GHSA-2m96-52r3-2f3g Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-43380, you might also want to check these: