CVE-2024-26142 — Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch

Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

How to fix CVE-2024-26142

To remediate CVE-2024-26142, upgrade the affected package to a fixed version below.

—upgrade to 7.1.4 or later
—upgrade to 7.1.3.1 or later

Is CVE-2024-26142 being exploited?

Low — EPSS is 3.5%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

>= 7.1.0, < 7.1.4
>= 7.1.0, < 7.1.3.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-26142
PATCHgithub.com/rails/rails
WEBdiscuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
WEBgithub.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272