CVE-2024-26146
published 2024-02-29CVE-2024-26146: Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible…
PriorityP341high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
2.00%
78.2th percentile
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
Affected
15 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | debian_linux | — | — |
| debian | ruby-rack | < ruby-rack 2.2.6.4-1+deb12u1 (bookworm) | ruby-rack 2.2.6.4-1+deb12u1 (bookworm) |
| debian | ruby-rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.23 | 2.2.23 |
| rack | rack | >= 0 < 2.0.9.4 | 2.0.9.4 |
| rack | rack | >= 0.4 < 2.0.9.4 | 2.0.9.4 |
| rack | rack | >= 2.1.0 < 2.1.4.4 | 2.1.4.4 |
| rack | rack | >= 2.1.0 < 2.1.4.4 | 2.1.4.4 |
| rack | rack | >= 2.2.0 < 2.2.8.1 | 2.2.8.1 |
| rack | rack | >= 2.2.0 < 2.2.8.1 | 2.2.8.1 |
| rack | rack | >= 3.0.0 < 3.0.9.1 | 3.0.9.1 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.1.0 < 3.1.5 | 3.1.5 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.3LOW
vendor_redhat5.3MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
ghsa·2026-04-02
CVE-2026-34230 [MEDIUM] CWE-400 Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
## Summary
`Rack::Utils.select_best_encoding` processes `Accept-Encoding` values with quadratic time complexity when the header contains many wildcard (`*`) entries. Because this method is used by `Rack::Deflater` to choose a response encoding, an unauthenticated attacker can send a single request with a crafted `Accept-Encoding` header and cause disproportionate CPU consumption on the compression middleware path.
This results in a denial of service condition for applications using `Rack::Deflater`.
## Details
`Rack::Utils.select_best_encoding` expands parsed `Accept-Encoding` values into a list of candidate encodings. When an entry is `*`, the method computes the set of concrete enco
OSV
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
osv·2026-04-02
CVE-2026-34230 [MEDIUM] Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
## Summary
`Rack::Utils.select_best_encoding` processes `Accept-Encoding` values with quadratic time complexity when the header contains many wildcard (`*`) entries. Because this method is used by `Rack::Deflater` to choose a response encoding, an unauthenticated attacker can send a single request with a crafted `Accept-Encoding` header and cause disproportionate CPU consumption on the compression middleware path.
This results in a denial of service condition for applications using `Rack::Deflater`.
## Details
`Rack::Utils.select_best_encoding` expands parsed `Accept-Encoding` values into a list of candidate encodings. When an entry is `*`, the method computes the set of concrete enco
OSV
ruby-rack vulnerabilities
osv·2024-09-26·CVSS 7.5
CVE-2022-30122 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. (CVE-2022-30122)
It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the application. (CVE-2022-30123)
It was discovered that Rack
OSV
ruby-rack vulnerabilities
osv·2024-08-19·CVSS 7.5
CVE-2024-25126 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-25126)
It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create
large responses, leading to a denial of service. (CVE-2024-26141)
It was discovered that Rack incorrectly handled certain crafted headers. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-26146)
OSV
CVE-2024-39316: Rack is a modular Ruby web server interface
osv·2024-07-02·CVSS 7.5
CVE-2024-39316 [HIGH] CVE-2024-39316: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix.
OSV
ruby-rack vulnerabilities
osv·2024-06-17·CVSS 7.5
CVE-2023-27530 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly handled Multipart MIME parsing. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected Ubuntu
23.10. (CVE-2023-27530)
It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-25126)
It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create large
responses, leading to a denial of service. This issue only affected Ubuntu
24.04 LTS. (CVE-2024-26141)
It was discovered that Rack incorrectly handled certain crafted headers.
OSV
ruby-rack vulnerabilities
osv·2024-03-12·CVSS 5.3
CVE-2023-27539 [MEDIUM] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly parse some headers.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27539, CVE-2024-26141, CVE-2024-26146)
OSV
CVE-2024-26146: Rack is a modular Ruby web server interface
osv·2024-02-29·CVSS 7.5
CVE-2024-26146 [HIGH] CVE-2024-26146: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
OSV
Rack Header Parsing leads to Possible Denial of Service Vulnerability
osv·2024-02-28·CVSS 7.5
CVE-2024-26146 [HIGH] Rack Header Parsing leads to Possible Denial of Service Vulnerability
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workaro
GHSA
Rack Header Parsing leads to Possible Denial of Service Vulnerability
ghsa·2024-02-28·CVSS 7.5
CVE-2024-26146 [HIGH] CWE-1333 Rack Header Parsing leads to Possible Denial of Service Vulnerability
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
Releases
The fixed releases are available at the normal locations.
Workarounds
There are no feasible workaro
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2024-09-26·CVSS 7.5
CVE-2024-25126 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack was not properly parsing data when processing
multipart POST requests. If a user or automated system were tricked into
sending a specially crafted multipart POST request to an application using
Rack, a remote attacker could possibly use this issue to cause a denial of
service. (CVE-2022-30122)
It was discovered that Rack was not properly escaping untrusted data when
performing logging operations, which could cause shell escaped sequences
to be written to a terminal. If a user or automated system were tricked
into sending a specially crafted request to an application using Rack, a
remote attacker could possibly use this issue to execute arbitrary code in
the machine running the ap
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2024-08-19·CVSS 5.3
CVE-2024-25126 [MEDIUM] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected
Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. (CVE-2024-25126)
It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create
large responses, leading to a denial of service. (CVE-2024-26141)
It was discovered that Rack incorrectly handled certain crafted headers. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-26146)
Instructions: After a standard sys
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2024-06-17·CVSS 7.5
CVE-2024-25126 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack incorrectly handled Multipart MIME parsing. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. This issue only affected Ubuntu
23.10. (CVE-2023-27530)
It was discovered that Rack incorrectly parsed certain media types. A
remote attacker could possibly use this issue to cause Rack to consume
resources, leading to a denial of service. (CVE-2024-25126)
It was discovered that Rack incorrectly handled certain Range headers. A
remote attacker could possibly use this issue to cause Rack to create large
responses, leading to a denial of service. This issue only affected Ubuntu
24.04 LTS. (CVE-2024-26141)
It was discovered
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2024-03-12·CVSS 5.3
CVE-2024-26146 [MEDIUM] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Rack could be made do denial of service if it received a specially
crafted header.
It was discovered that Rack incorrectly parse some headers.
An attacker could possibly use this issue to cause a denial of service.
(CVE-2023-27539, CVE-2024-26141, CVE-2024-26146)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing
vendor_redhat·2024-02-22·CVSS 5.3
CVE-2024-26146 [MEDIUM] CWE-1333 rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing
rubygem-rack: Possible Denial of Service Vulnerability in Rack Header Parsing
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
A denial of service (DoS) vulnerability was found in rubygem-rack in how it parses Rack Header. Carefully crafted headers can cause header parsing in Rack to take longer than expected, resulting in a possible denial of service issue. Accept and Forwarded headers are impacted.
Mitigation: No mitigation is currently ava
Debian
CVE-2024-26146: ruby-rack - Rack is a modular Ruby web server interface. Carefully crafted headers can cause...
vendor_debian·2024·CVSS 5.3
CVE-2024-26146 [MEDIUM] CVE-2024-26146: ruby-rack - Rack is a modular Ruby web server interface. Carefully crafted headers can cause...
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.
Scope: local
bookworm: resolved (fixed in 2.2.6.4-1+deb12u1)
bullseye: resolved (fixed in 2.1.4-3+deb11u2)
forky: resolved (fixed in 2.2.7-1.1)
sid: resolved (fixed in 2.2.7-1.1)
trixie: resolved (fixed in 2.2.7-1.1)
Debian
CVE-2024-39316: ruby-rack - Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior...
vendor_debian·2024·CVSS 5.3
CVE-2024-39316 [MEDIUM] CVE-2024-39316: ruby-rack - Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior...
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix.
Scope: local
bookworm: resolved
bullseye: resolved
f
No detection rules found.
No public exploits indexed.
https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6fhttps://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccdhttps://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8fhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.ymlhttps://lists.debian.org/debian-lts-announce/2024/04/msg00022.htmlhttps://security.netapp.com/advisory/ntap-20240510-0006/https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6fhttps://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccdhttps://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8fhttps://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.ymlhttps://lists.debian.org/debian-lts-announce/2024/04/msg00022.htmlhttps://security.netapp.com/advisory/ntap-20240510-0006/
2024-02-29
Published