CVE-2024-26142 HIGH

CVE-2024-26142: Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch

Vendor Rails

Product rails

Weakness CWE-1333

Published February 27, 2024

Last update February 13, 2025

View on NVD All CVEs

CVSS base score

7.5/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality None

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

What the vulnerability does

Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

Key dates

Disclosure timeline

February 27, 2024 CVE published

February 13, 2025 Record updated