Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-22f2-v57c-j9cx: Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Summary

module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request["Content-Type"] = (" " * 50_000) + "a,"

Impact

It’s a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

ghsa
#vulnerability#dos#git#ruby
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-25126

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Low severity GitHub Reviewed Published Feb 28, 2024 in rack/rack • Updated Feb 28, 2024

Vulnerability details Dependabot alerts 0

Package

bundler rack (RubyGems)

Affected versions

>= 3.0.0, < 3.0.9.1

>= 0.4, < 2.2.8.1

Patched versions

3.0.9.1

2.2.8.1

Description

Summary

module Rack class MediaType SPLIT_PATTERN = %r{\s*[;,]\s*}

The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

PoC

A simple HTTP request with lots of blank characters in the content-type header:

request[“Content-Type”] = (" " * 50_000) + “a,”

Impact

It’s a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

References

  • GHSA-22f2-v57c-j9cx
  • rack/rack@6efb2ce
  • rack/rack@d9c163a
  • https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
  • https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml

tenderlove published to rack/rack

Feb 28, 2024

Published to the GitHub Advisory Database

Feb 28, 2024

Reviewed

Feb 28, 2024

Last updated

Feb 28, 2024

Severity

Low

Weaknesses

No CWEs

CVE ID

CVE-2024-25126

GHSA ID

GHSA-22f2-v57c-j9cx

Source code

rack/rack

Credits

  • byroot Reporter

Checking history

See something to contribute? Suggest improvements for this vulnerability.

Related news

Ubuntu Security Notice USN-7036-1

Ubuntu Security Notice 7036-1 - It was discovered that Rack was not properly parsing data when processing multipart POST requests. If a user or automated system were tricked into sending a specially crafted multipart POST request to an application using Rack, a remote attacker could possibly use this issue to cause a denial of service. It was discovered that Rack was not properly escaping untrusted data when performing logging operations, which could cause shell escaped sequences to be written to a terminal. If a user or automated system were tricked into sending a specially crafted request to an application using Rack, a remote attacker could possibly use this issue to execute arbitrary code in the machine running the application.

Ubuntu Security Notice USN-6837-2

Ubuntu Security Notice 6837-2 - It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 20.04 LTS and Ubuntu 22.04 LTS. It was discovered that Rack incorrectly handled certain Range headers. A remote attacker could possibly use this issue to cause Rack to create large responses, leading to a denial of service.

Ubuntu Security Notice USN-6837-1

Ubuntu Security Notice 6837-1 - It was discovered that Rack incorrectly handled Multipart MIME parsing. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service. This issue only affected Ubuntu 23.10. It was discovered that Rack incorrectly parsed certain media types. A remote attacker could possibly use this issue to cause Rack to consume resources, leading to a denial of service.

Red Hat Security Advisory 2024-3431-03

Red Hat Security Advisory 2024-3431-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.6 Extended Update Support. Issues addressed include a denial of service vulnerability.

Debian Security Advisory 5698-1

Debian Linux Security Advisory 5698-1 - Multiple security issues were found in Rack, an interface for developing web applications in Ruby, which could result in denial of service.

Red Hat Security Advisory 2024-2584-03

Red Hat Security Advisory 2024-2584-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support, Red Hat Enterprise Linux 8.4 Telecommunications Update Service, and Red Hat Enterprise Linux 8.4 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-2581-03

Red Hat Security Advisory 2024-2581-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.8 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-2007-03

Red Hat Security Advisory 2024-2007-03 - An update for pcs is now available for Red Hat Enterprise Linux 8.2 Advanced Update Support, Red Hat Enterprise Linux 8.2 Telecommunications Update Service, and Red Hat Enterprise Linux 8.2 Update Services for SAP Solutions. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1846-03

Red Hat Security Advisory 2024-1846-03 - An update for pcs is now available for Red Hat Enterprise Linux 9.2 Extended Update Support. Issues addressed include a denial of service vulnerability.

Red Hat Security Advisory 2024-1841-03

Red Hat Security Advisory 2024-1841-03 - An update for pcs is now available for Red Hat Enterprise Linux 9.0 Extended Update Support. Issues addressed include a denial of service vulnerability.