CVE-2024-26142

HIGH

Rails < 7.1.3.1 - Denial of Service

Title source: rule

Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

References (5)

[Vendor Advisory] https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

[Patch] https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

View Patch ZIP pw:eip

[Vendor Advisory] https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

[Third Party Advisory] https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

View Writeup ZIP pw:eip

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240503-0003/

Scores

CVSS v3 7.5

EPSS 0.0264

EPSS Percentile 85.5%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Classification

CWE

CWE-1333

Status published

Affected Products (2)

rubyonrails/rails < 7.1.3.1

rubygems/actionpack < 7.1.3.1RubyGems

Timeline

Published Feb 27, 2024

Tracked Since Feb 18, 2026