CVE-2023-32758: 
Python vulnerability analysis and mitigation

giturlparse (also known as git-url-parse) through version 1.2.2, as used in Semgrep versions 1.5.2 through 1.24.1, contains a Regular Expression Denial of Service (ReDoS) vulnerability when parsing untrusted URLs. The vulnerability was discovered in May 2023 and affects the URL parsing functionality (NVD).

The vulnerability exists in the URL parsing functionality where untrusted URLs are processed using potentially inefficient regular expressions. This becomes particularly relevant when Semgrep analyzes untrusted packages, specifically when checking whether a package accesses Git repositories via HTTP URLs. The issue has a CVSS v3.1 Base Score of 7.5 (HIGH) with vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H (NVD).

If exploited, an attacker can cause a denial of service condition by placing a ReDoS attack payload in a URL used by the package. This can lead to excessive CPU usage and potential system unresponsiveness when Semgrep processes these maliciously crafted URLs (NVD).

The issue was addressed through multiple fixes in Semgrep, including improvements to the git URL parser and implementation of URL length limits. Pull requests #7943 and #7955 were merged to fix the vulnerability, with the latter adding a 1024-byte limit on git URLs for performance and security reasons (Semgrep PR 7943, Semgrep PR 7955).