CVE-2024-47888Regex Denial of Service in Rails

CWE-1333Regex Denial of ServiceCWE-133710 documents8 sources
Severity
6.6MEDIUMNVD
EPSS
0.5%
top 33.28%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsRails
Timeline
PublishedOct 16
Latest updateFeb 25

Description

Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u3+3
Ubunturubyonrails/rails< 2:4.2.6-1ubuntu0.1~esm1+3
CVEListV5rails/rails4 versions+3

🔴Vulnerability Details

5
OSV
rails vulnerabilities2025-02-25
OSV
CVE-2024-47888: Action Text brings rich text content and editing to Rails2024-10-16
CVEList
Action Text has possible ReDoS vulnerability in plain_text_for_blockquote_node2024-10-16
OSV
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text2024-10-15
GHSA
Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text2024-10-15

📋Vendor Advisories

3
Ubuntu
Rails vulnerabilities2025-02-25
Red Hat
rubygem-actiontext: Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text2024-10-15
Debian
CVE-2024-47888: rails - Action Text brings rich text content and editing to Rails. Starting in version 6...2024

💬Community

1
HackerOne
[CVE-2024-47888] Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text2024-11-28
CVE-2024-47888 — Regex Denial of Service in Rails | cvebase