CVE-2024-41128 — Allocation of Resources Without Limits or Throttling in Rails

CWE-770 — Allocation of Resources Without Limits or Throttling CWE-1333 — Regex Denial of Service10 documents9 sources

Severity

6.6MEDIUMNVD

EPSS

0.6%

top 30.34%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rubyonrails Rails Actionpack Project Actionpack Rails

Timeline

PublishedOct 16

Latest updateMar 7

Description

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u3+3

▶RubyGemsactionpack_project/actionpack3.1.0 — 6.1.7.9+3

▶CVEListV5rails/rails4 versions+3

🔴Vulnerability Details

CVEList

Action Dispatch has possible ReDoS vulnerability in query parameter filtering↗2024-10-16

▶

OSV

CVE-2024-41128: Action Pack is a framework for handling and responding to web requests↗2024-10-16

▶

OSV

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch↗2024-10-15

▶

GHSA

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch↗2024-10-15

▶

📋Vendor Advisories

Ubuntu

Rails vulnerabilities↗2025-02-25

▶

Red Hat

rubygem-actionpack: Possible ReDoS vulnerability in query parameter filtering in Action Dispatch↗2024-10-15

▶

Debian

CVE-2024-41128: rails - Action Pack is a framework for handling and responding to web requests. Starting...↗2024

▶

💬Community

HackerOne

Possible ReDoS vulnerability in query parameter filtering in Action Dispatch↗2025-03-07

▶