title: Object leak vulnerability for wildcard controller routes in Action Pack
description: "There is an object leak vulnerability for wildcard controllers in Action
Pack. \nThis vulnerability has been assigned the CVE identifier CVE-2015-7581. \n\nVersions
Affected: >= 4.0.0 and < 5.0.0.beta1 \nNot affected: < 4.0.0, 5.0.0.beta1
and newer \nFixed Versions: 126.96.36.199, 188.8.131.52 \n\nImpact \n------ \nUsers that
have a route that contains the string \":controller\" are susceptible \nto objects
being leaked globally which can lead to unbounded memory growth. \nTo identify if
your application is vulnerable, look for routes that contain \n\":controller\".
\n\nInternally, Action Pack keeps a map of \"url controller name\" to \"controller
\nclass name\". This map is cached globally, and is populated even if the \ncontroller
class doesn't actually exist. \n\nAll users running an affected release should either
upgrade or use one of the \nworkarounds immediately. \n\nReleases \n-------- \nThe
FIXED releases are available at the normal locations. \n\nWorkarounds \n-----------
\nThere are no feasible workarounds for this issue. \n\nPatches \n------- \nTo aid
users who aren't able to upgrade immediately we have provided patches for the two
supported release series. They are in git-am format and consist of a single changeset.
\n\n* 4-1-wildcard_route.patch - Patch for 4.1 series \n* 4-2-wildcard_route.patch
- Patch for 4.2 series \n\nPlease note that only the 4.1.x and 4.2.x series are
supported at present. Users of earlier unsupported releases are advised to upgrade
as soon as possible as we cannot guarantee the continued availability of security
fixes for unsupported releases.\n"
- "< 4.0.0"
- ">= 5.0.0.beta1"
- "~> 4.2.5, >= 184.108.40.206"
- "~> 4.1.14, >= 220.127.116.11"