CVE-2024-26146Regex Denial of Service in Rack

CWE-1333Regex Denial of ServiceCWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic Complexity20 documents7 sources
Severity
7.5HIGHNVD
NVD6.5OSV5.3
EPSS
0.7%
top 27.64%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
RackDebian Ruby-rackDebian Linux
Timeline
PublishedFeb 29
Latest updateApr 2

Description

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages4 packages

debiandebian/ruby-rack< ruby-rack 2.2.6.4-1+deb12u1 (bookworm)+1
NVDrack/rack0.42.0.9.4+3
RubyGemsrack/rack3.0.0.beta13.1.21+6
CVEListV5rack/rack>= 3.1.0, < 3.1.5

Also affects: Debian Linux 10.0

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

10
GHSA
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header2026-04-02
OSV
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header2026-04-02
OSV
ruby-rack vulnerabilities2024-09-26
OSV
ruby-rack vulnerabilities2024-08-19
OSV
CVE-2024-39316: Rack is a modular Ruby web server interface2024-07-02

📋Vendor Advisories

7
Ubuntu
Rack vulnerabilities2024-09-26
Ubuntu
Rack vulnerabilities2024-08-19
Ubuntu
Rack vulnerabilities2024-06-17
Ubuntu
Rack vulnerabilities2024-03-12
Red Hat
rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing2024-02-22

💬Community

1
HackerOne
[CVE-2024-26146] Header Parsing leads to Possible Denial of Service Vulnerability2024-05-24