CVE-2024-26146
MEDIUMRack 0.4-2.0.9.3, 3.0.0-3.0.9.0 - Denial of Service via Header Parsing
Title source: llmDescription
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
References (9)
Core 9
Core References
Third Party Advisory
https://security.netapp.com/advisory/ntap-20240510-0006/
Vendor Advisory x_refsource_confirm
https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
Patch x_refsource_misc
https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
Patch x_refsource_misc
https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
Patch x_refsource_misc
https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
Patch x_refsource_misc
https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
Vendor Advisory x_refsource_misc
https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
Third Party Advisory x_refsource_misc
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
Scores
CVSS v3
5.3
EPSS
0.0200
EPSS Percentile
78.0%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-1333
Status
published
Products (3)
debian/debian_linux
10.0
rack/rack
0.4 - 2.0.9.4
rubygems/rack
3.0.0 - 3.0.9.1RubyGems
Published
Feb 29, 2024
Tracked Since
Feb 18, 2026