RubySec

Providing security resources for the Ruby community

CVE-2021-22902 (actionpack): Possible Denial of Service vulnerability in Action Dispatch

ADVISORIES

GEM

actionpack

FRAMEWORK

rails

UNAFFECTED VERSIONS

  • < 6.0.0

PATCHED VERSIONS

  • ~> 6.0.3.7
  • >= 6.1.3.2

DESCRIPTION

There is a possible Denial of Service vulnerability in the Mime type parser of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2021-22902.

Versions Affected: >= 6.0.0 Not affected: < 6.0.0 Fixed Versions: 6.0.3.7, 6.1.3.2

Impact

There is a possible Denial of Service vulnerability in Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.

Workarounds

The following monkey patch placed in an initializer can be used to work around the issue:

module Mime
  class Type
    MIME_REGEXP = /\A(?:\*\/\*|#{MIME_NAME}\/(?:\*|#{MIME_NAME})(?>\s*#{MIME_PARAMETER}\s*)*)\z/
  end
end