CVE-2023-31606

HIGH

RedCloth 4.0.0-4.3.2 - Regular Expression Denial of Service in sanitize_html

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-31606. PoCs published by merbinr.

AI-analyzed exploit summary This repository contains a writeup describing a ReDoS vulnerability (CVE-2023-31606) in the Redcloth gem's sanitize_html function. The vulnerability allows attackers to cause a Denial of Service by exploiting a poorly optimized regular expression.

Description

A Regular Expression Denial of Service (ReDoS) issue was discovered in the sanitize_html function of redcloth gem v4.0.0. This vulnerability allows attackers to cause a Denial of Service (DoS) via supplying a crafted payload.

Exploits (1)

nomisec WRITEUP 2 stars
by merbinr · poc
https://github.com/merbinr/CVE-2023-31606

This repository contains a writeup describing a ReDoS vulnerability (CVE-2023-31606) in the Redcloth gem's sanitize_html function. The vulnerability allows attackers to cause a Denial of Service by exploiting a poorly optimized regular expression.

Classification
Writeup 100%
Attack Type
Dos
Complexity
Trivial
Reliability
Reliable
Target: Redcloth gem >= 4.0.0
No auth needed
Prerequisites: A target application using the Redcloth gem >= 4.0.0 · Ability to supply crafted input to the sanitize_html function
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5
Core References
Exploit, Third Party Advisory
https://github.com/e23e/CVE-2023-31606#readme
Exploit, Issue Tracking, Third Party Advisory
https://github.com/jgarber/redcloth/issues/73
Third Party Advisory vendor-advisory
https://security.gentoo.org/glsa/202401-14

Scores

CVSS v3 7.5
EPSS 0.0091
EPSS Percentile 76.4%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Details

CWE
CWE-1333
Status published
Products (2)
promptworks/redcloth 4.0.0 - 4.3.2
rubygems/RedCloth 0 - 4.3.3RubyGems
Published Jun 06, 2023
Tracked Since Feb 18, 2026