CVSS v3.x: 5.9 (Medium)
- >= 126.96.36.199
There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.
This issues affects Rails applications that operate as an upstream of a load balancer’s that uses passive health checks.
The unpoly-rails gem echoes the request URL
X-Up-Location response header. By making a request with exceedingly long
URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly
large response header.
If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.
If you cannot upgrade to a fixed release, several workarounds are available:
- Configure your load balancer to use active health checks, e.g. by periodically requesting a route with a known response that indicates healthiness.
- Configure your load balancer so the maximum size of response headers is at least twice the maximum size of a URL.
Instead of changing your server configuration you may also configure your Rails application to delete redundant
X-Up-Locationheaders set by unpoly-rails:
class ApplicationController < ActionController::Base after_action :remove_redundant_up_location_header private def remove_redundant_up_location_header if request.original_url == response.headers['X-Up-Location'] response.headers.delete('X-Up-Location') end end end