CVE-2024-25126 (rack): Denial of Service Vulnerability in Rack Content-Type Parsing

Ruby Security Advisory

There is a possible denial of service vulnerability in the content type
parsing component of Rack. This vulnerability has been assigned the CVE
identifier CVE-2024-25126.

Versions Affected: >= 0.4 Not affected: < 0.4 Fixed Versions: 3.0.9.1, 2.2.8.1 # Impact Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability. Impacted code will use Rack’s media type parser to parse content type headers. This code will look like below: ``` request.media_type ## OR request.media_type_params ## OR Rack::MediaType.type(content_type) ``` Some frameworks (including Rails) call this code internally, so upgrading is recommended! All users running an affected release should either upgrade or use one of the workarounds immediately. # Releases The fixed releases are available at the normal locations. # Workarounds There are no feasible workarounds for this issue.

READ MORE