CVE-2024-39316 (rack): Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Ruby Security Advisory

### Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists
in the `Rack::Request::Helpers` module when parsing HTTP Accept headers.
This vulnerability can be exploited by an attacker sending specially
crafted `Accept-Encoding` or `Accept-Language` headers, causing the
server to spend excessive time processing the request and leading
to a Denial of Service (DoS).

### Details

The fix for
was not applied to the main branch and thus while the issue was fixed
for the Rack v3.0 release series, it was not fixed in the v3.1
release series until v3.1.5.


Leave a Reply

Your email address will not be published. Required fields are marked *