RubySec

Providing security resources for the Ruby community

CVE-2021-22902 (actionpack): Possible Denial of Service vulnerability in Action Dispatch

ADVISORIES

GEM

actionpack

FRAMEWORK

Ruby on Rails

SEVERITY

CVSS v3.x: 7.5 (High)

UNAFFECTED VERSIONS

  • < 6.0.0

PATCHED VERSIONS

  • ~> 6.0.3, >= 6.0.3.7
  • >= 6.1.3.2

DESCRIPTION

There is a possible Denial of Service vulnerability in the Mime type parser of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2021-22902.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.7, 6.1.3.2

Impact

There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module Mime
  class Type
    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?&gt;\s*#{MIME_PARAMETER}\s*)*)\z/
  end
end
Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories