CVE-2024-26146 — Rack Header Parsing leads to Possible Denial of Service Vulnerability

Description

Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is fixed in 2.0.9.4, 2.1.4.4, 2.2.8.1, and 3.0.9.1.

How to fix CVE-2024-26146

To remediate CVE-2024-26146, upgrade the affected package to a fixed version below.

—upgrade to 2.1.4-3+deb11u2 or later
—upgrade to 3.0.9.1 or later

Is CVE-2024-26146 being exploited?

Low — EPSS is 0.8%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 2.1.4-3+deb11u2
>= 3.0.0, < 3.0.9.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH7.5	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

References (10)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2024-26146
ADVISORYsecurity-tracker.debian.org/tracker/CVE-2024-26146
PATCHgithub.com/rack/rack
WEBdiscuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942