Skip to content

Possible Denial of Service Vulnerability in Rack's header parsing

Low severity GitHub Reviewed Published Mar 15, 2023 to the GitHub Advisory Database • Updated Aug 18, 2023

Package

bundler rack (RubyGems)

Affected versions

>= 2.0.0, < 2.2.6.4
>= 3.0.0, < 3.0.6.1

Patched versions

2.2.6.4
3.0.6.1

Description

There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1

Impact

Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

Workarounds

Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

References

Published to the GitHub Advisory Database Mar 15, 2023
Reviewed Mar 15, 2023
Last updated Aug 18, 2023

Severity

Low

Weaknesses

No CWEs

CVE ID

CVE-2023-27539

GHSA ID

GHSA-c6qg-cjj8-47qp

Source code

Credits

Loading Checking history
See something to contribute? Suggest improvements for this vulnerability.