CVE-2024-26142

HIGH

Rails < 7.1.3.1 - Denial of Service

Title source: rule

Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

References (5)

[Third Party Advisory] https://security.netapp.com/advisory/ntap-20240503-0003/

[Vendor Advisory] https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq

[Patch] https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272

View Patch ZIP pw:eip

[Vendor Advisory] https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946

[Third Party Advisory] https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml

View Writeup ZIP pw:eip

Scores

CVSS v3 7.5

EPSS 0.0354

EPSS Percentile 87.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-1333

Status published

Products (2)

rubygems/actionpack 7.1.0 - 7.1.3.1RubyGems

rubyonrails/rails 7.1.0 - 7.1.3.1

Published Feb 27, 2024

Tracked Since Feb 18, 2026