CVE-2024-26146 MEDIUM

CVE-2024-26146: Possible Denial of Service Vulnerability in Rack Header Parsing

Vendor Rack
Product rack
Weakness CWE-1333
Published February 28, 2024
Last update February 13, 2025

CVSS base score

5.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

Key dates

02Disclosure timeline

February 28, 2024 CVE published
February 13, 2025 Record updated