oss-sec mailing list archives
Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928
From: Ilia <ilia () ilia ws>
Date: Tue, 12 May 2026 14:37:59 -0400
On Tue, May 12, 2026 at 2:13 PM Sebastian Pipping <sebastian () pipping org> wrote:
From my perspective CVE-2026-44927 is a low-severity security issue that would be hard to exploit in reality since it requires an actual 2gb+ input to even trigger. For example, in the context of PHP (which uses the lib) you'd hit the memory limit long before this even triggers. Therefore, this is "Low" severity from my perspective. Given the input size, it definitely doesn't have a remote vector.I have no problem with this being considering "low severity" based on the payload size needed, but this /does/ have a remote vector that is independent of size constraints, as far as I am concerned. I just checked the definition of a remote attack vector a la CVSS [3][4] and it's not "adjacent", not "local", and not "physical": I see nothing stopping applications from parsing URI strings read "from the wire", directly or indirectly, the same way that XMPP parses XML from the wire. Am I missing something here?
That's a fair point, I'd still lean toward "low", perhaps low-medium in light of your comment. Parsing streaming URI strings from a wire without any cap is a bit unusual, but stranger things have happened. As you pointed out from cvvs guide, it doesn't care about that. -- Ilia Alshanetsky Technologist, CTO, Entrepreneur E: ilia () ilia ws T: @iliaa B: http://ilia.ws
Current thread:
- uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 09)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Solar Designer (May 10)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Ilia (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Ilia (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Sebastian Pipping (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Joshua Windle (May 12)
- Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928 Solar Designer (May 10)
