RubySec

Providing security resources for the Ruby community

CVE-2024-26146 (rack): Possible Denial of Service Vulnerability in Rack Header Parsing

ADVISORIES

GEM

rack

PATCHED VERSIONS

  • ~> 2.0.9, >= 2.0.9.4
  • ~> 2.1.4, >= 2.1.4.4
  • ~> 2.2.8, >= 2.2.8.1
  • >= 3.0.9.1

DESCRIPTION

There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146.

Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact

Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected.

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

RELATED