- ~> 2.0, >= 220.127.116.11
- >= 18.104.22.168
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 22.214.171.124, 126.96.36.199
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.