CVE-2024-25126 MEDIUM

CVE-2024-25126: Rack ReDos in content type parsing (2nd degree polynomial)

Vendor Rack
Product rack
Weakness CWE-1333
Published February 28, 2024
Last update February 13, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.

Key dates

02Disclosure timeline

February 28, 2024 CVE published
February 13, 2025 Record updated