CVE-2024-26146

Possible Denial of Service Vulnerability in Rack Header Parsing

Description

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

Category

5.3
CVSS
Severity: Medium
CVSS 3.1 •
EPSS 0.57%
Vendor Advisory rubyonrails.org Vendor Advisory github.com
Affected: rack rack
Published at:
Updated at:

References

Link Tags
https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f vendor advisory
https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716 patch
https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582 patch
https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f patch
https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd patch
https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942 vendor advisory
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml third party advisory
https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html mailing list
https://security.netapp.com/advisory/ntap-20240510-0006/ third party advisory

Frequently Asked Questions

What is the severity of CVE-2024-26146?
CVE-2024-26146 has been scored as a medium severity vulnerability.
How to fix CVE-2024-26146?
To fix CVE-2024-26146, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2024-26146 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2024-26146 is being actively exploited. According to its EPSS score, there is a ~1% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2024-26146?
CVE-2024-26146 affects rack rack.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.