Skip to main content

Inefficient Regular Expression Complexity

CVE-2024-26146

Severity Medium
Score 5.3/10

Summary

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This issue affects the package rack versions through 2.0.9.3, 2.1.0 through 2.1.4.3, 2.2.0 through 2.2.8, and 3.0.0.beta1 through 3.0.9.

  • LOW
  • NETWORK
  • NONE
  • UNCHANGED
  • NONE
  • NONE
  • NONE
  • LOW

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.

Advisory Timeline

  • Published