CVE-2024-47889Regex Denial of Service in Rails

CWE-1333Regex Denial of ServiceCWE-13379 documents7 sources
Severity
6.6MEDIUMNVD
EPSS
0.3%
top 42.91%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Rubyonrails RailsRails
Timeline
PublishedOct 16
Latest updateFeb 25

Description

Action Mailer is a framework for designing email service layers. Starting in version 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the block_format helper in Action Mailer. Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the r

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

Debianrubyonrails/rails< 2:6.0.3.7+dfsg-2+deb11u3+3
Ubunturubyonrails/rails< 2:4.2.6-1ubuntu0.1~esm1+3
CVEListV5rails/rails4 versions+3

🔴Vulnerability Details

5
OSV
rails vulnerabilities2025-02-25
OSV
CVE-2024-47889: Action Mailer is a framework for designing email service layers2024-10-16
CVEList
Action Mailer has possible ReDoS vulnerability in block_format2024-10-16
GHSA
Possible ReDoS vulnerability in block_format in Action Mailer2024-10-15
OSV
Possible ReDoS vulnerability in block_format in Action Mailer2024-10-15

📋Vendor Advisories

3
Ubuntu
Rails vulnerabilities2025-02-25
Red Hat
rubygem-actionmailer: Possible ReDoS vulnerability in block_format in Action Mailer2024-10-15
Debian
CVE-2024-47889: rails - Action Mailer is a framework for designing email service layers. Starting in ver...2024
CVE-2024-47889 — Regex Denial of Service in Rails | cvebase