oss-sec mailing list archives

Re: uriparser 1.0.2 fixes CVE-2026-44927 and CVE-2026-44928


From: Ilia <ilia () ilia ws>
Date: Tue, 12 May 2026 14:37:59 -0400

On Tue, May 12, 2026 at 2:13 PM Sebastian Pipping <sebastian () pipping org>
wrote:

 From my perspective CVE-2026-44927 is a low-severity security issue
that would be hard to exploit in reality since it requires an actual
2gb+ input to even trigger. For example, in the context of PHP (which
uses the lib) you'd hit the memory limit long before this even triggers.
Therefore, this is "Low" severity from my perspective. Given the input
size, it definitely doesn't have a remote vector.

I have no problem with this being considering "low severity" based
on the payload size needed, but this /does/ have a remote vector that is
independent of size constraints, as far as I am concerned. I just
checked the definition of a remote attack vector a la CVSS [3][4] and
it's not "adjacent", not "local", and not "physical": I see nothing
stopping applications from parsing URI strings read "from the wire",
directly or indirectly, the same way that XMPP parses XML from the wire.
Am I missing something here?


That's a fair point, I'd still lean toward "low", perhaps low-medium in
light of your comment.

Parsing streaming URI strings from a wire without any cap is a bit unusual,
but stranger things have happened. As you pointed out from cvvs guide, it
doesn't care about that.

-- 
Ilia Alshanetsky
Technologist, CTO, Entrepreneur
E: ilia () ilia ws
T: @iliaa
B: http://ilia.ws

Current thread: