CVE-2024-26146 (rack): Possible Denial of Service Vulnerability in Rack Header Parsing

Ruby Security Advisory

There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

# Impact

Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. `Accept` and
`Forwarded` headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using
Ruby 3.2 or newer are unaffected.

# Releases

The fixed releases are available at the normal locations.

# Workarounds

There are no feasible workarounds for this issue.

READ MORE