Skip to main content

Inefficient Regular Expression Complexity

CVE-2022-44571

Severity High
Score 7.5/10

Summary

There is a denial of service vulnerability in the "Content-Disposition" parsingcomponent of Rack versions 2.0.x prior to 2.0.9.2, 2.1.x prior to 2.1.4.2, 2.2.x prior to 2.2.6.1, and 3.0.0.x prior to 3.0.4.1. This could allow an attacker to craft an input that can cause "Content-Disposition" header parsing in Rack to take an unexpected amount of time, possibly resulting in a Denial of Service attack vector. This header is typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

References

Advisory Timeline

  • Published