CVE-2024-47887Regex Denial of Service in Rails

CWE-1333Regex Denial of ServiceCWE-13379 documents7 sources
Severity
6.6MEDIUMNVD
EPSS
0.3%
top 47.03%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Rubyonrails RailsActionpack Project ActionpackRails
Timeline
PublishedOct 16
Latest updateFeb 25

Description

Action Pack is a framework for handling and responding to web requests. Starting in version 4.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in Action Controller's HTTP Token authentication. For applications using HTTP Token authentication via `authenticate_or_request_with_http_token` or similar, a carefully crafted header may cause header parsing to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u3+3
RubyGemsactionpack_project/actionpack4.0.06.1.7.9+3
CVEListV5rails/rails4 versions+3

🔴Vulnerability Details

5
OSV
rails vulnerabilities2025-02-25
OSV
CVE-2024-47887: Action Pack is a framework for handling and responding to web requests2024-10-16
CVEList
Action Controller has possible ReDoS vulnerability in HTTP Token authentication2024-10-16
OSV
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller2024-10-15
GHSA
Possible ReDoS vulnerability in HTTP Token authentication in Action Controller2024-10-15

📋Vendor Advisories

3
Ubuntu
Rails vulnerabilities2025-02-25
Red Hat
rubygem-actionpack: Possible ReDoS vulnerability in HTTP Token authentication in Action Controller2024-10-15
Debian
CVE-2024-47887: rails - Action Pack is a framework for handling and responding to web requests. Starting...2024
CVE-2024-47887 — Regex Denial of Service in Rails | cvebase