Description
encoded_id-rails versions before 1.0.0.beta2 are affected by an uncontrolled resource consumption vulnerability. A remote and unauthenticated attacker might cause a denial of service condition by sending an HTTP request with an extremely long "id" parameter.
References (4)
Core 4
Core References
Exploit, Vendor Advisory vendor-advisory
https://github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c
Patch patch
https://github.com/stevegeek/encoded_id-rails/commit/afa495a77b8a21ad582611f9cdc2081dc4018b91
Exploit, Third Party Advisory third-party-advisory
https://github.com/advisories/GHSA-3px7-jm2p-6h2c
Third Party Advisory third-party-advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-3px7-jm2p-6h2c
Scores
CVSS v3
7.5
EPSS
0.0036
EPSS Percentile
58.1%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-400
CWE-770
Status
published
Products (3)
diaconou/encodedid\
\ rails (2 CPE variants)
diaconou/encodedid\
< 1.0.0
rubygems/encoded_id-rails
0 - 1.0.0.beta2RubyGems
Published
Jan 04, 2024
Tracked Since
Feb 18, 2026