Description
uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
Published: 2026-04-27
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch
AI Analysis

Impact

uriparser versions prior to 1.0.1 contain a numeric truncation bug in the function that compares the textual range of a URI. When the library receives a URI whose length reaches gigabytes, the numeric comparison can behave unexpectedly, potentially allowing the application to process an oversized URI that it should normally reject. This flaw can lead to a denial of service by forcing the application to handle unusually large input data.

Affected Systems

The vulnerability affects all releases of the uriparser library before 1.0.1. Any software that incorporates this library, such as web servers, network utilities, or other applications that parse user‑supplied URIs, may be impacted until it is updated to a fixed version.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate severity. An EPSS score of less than 1 % suggests low exploitation likelihood at present, and the issue is not listed in CISA's KEV catalog. Exploitation would require an attacker to provide an excessively long URI—on the order of gigabytes—to the application. The attack vector is therefore any interface that accepts external URIs and forwards them to uriparser without prior length validation.

Generated by OpenCVE AI on April 28, 2026 at 23:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade uriparser to version 1.0.1 or later.
  • If an upgrade is not immediately possible, implement a strict URI length check in the application and reject any URI exceeding a safe threshold before passing it to uriparser.
  • Review and audit code that interacts with uriparser to ensure proper input validation and guard against potential truncation issues.

Generated by OpenCVE AI on April 28, 2026 at 23:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 28 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Title uriparser: uriparser: Denial of Service via numeric truncation with oversized URIs
Weaknesses CWE-190
References
Metrics threat_severity

None

 threat_severity

Moderate

Mon, 27 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Uriparser Project
Uriparser Project uriparser
Vendors & Products Uriparser Project
Uriparser Project uriparser

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
References

Mon, 27 Apr 2026 11:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 06:30:00 +0000

Type Values Removed Values Added
Description uriparser before 1.0.1 has numeric truncation in text range comparison, if an application accepts URIs with a length in gigabytes.
Weaknesses CWE-197
References
Metrics cvssV3_1

{'score': 5.1, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Uriparser Project Uriparser
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-04-27T14:41:22.410Z

Reserved: 2026-04-27T05:50:35.801Z

Link: CVE-2026-42371

cve-icon Vulnrichment

Updated: 2026-04-27T14:41:22.410Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-27T07:16:04.173

Modified: 2026-04-27T18:57:20.293

Link: CVE-2026-42371

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-27T05:50:36Z

Links: CVE-2026-42371 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T23:30:06Z

Weaknesses