#1133700 lambdaisland-uri-clojure: CVE-2023-28628

Package:
src:lambdaisland-uri-clojure
Source:
src:lambdaisland-uri-clojure
Submitter:
Salvatore Bonaccorso
Date:
2026-04-13 19:49:02 UTC
Severity:
normal
Tags:
#1133700#5
Date:
2026-04-13 19:48:22 UTC
From:
To:
Hi,

The following vulnerability was published for lambdaisland-uri-clojure.

CVE-2023-28628[0]:
| lambdaisland/uri is a pure Clojure/ClojureScript URI library. In
| versions prior to 1.14.120 `authority-regex` allows an attacker to
| send malicious URLs to be parsed by the `lambdaisland/uri` and
| return the wrong authority. This issue is similar to but distinct
| from CVE-2020-8910. The regex in question doesn't handle the
| backslash (`\`) character in the username correctly, leading to a
| wrong output. ex. a payload of `https://example.com\\@google.com`
| would return that the host is `google.com`, but the correct host
| should be `example.com`. Given that the library returns the wrong
| authority this may be abused to bypass host restrictions depending
| on how the library is used in an application. Users are advised to
| upgrade. There are no known workarounds for this vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-28628
https://www.cve.org/CVERecord?id=CVE-2023-28628
[1] https://github.com/lambdaisland/uri/security/advisories/GHSA-cp4w-6x4w-v2h5
[2] https://github.com/lambdaisland/uri/commit/67063ed439dd0843536f27e8cde40a8a7d69f37b

Regards,
Salvatore