CVE-2024-25126
Denial of Service vulnerability in rack (RubyGems)
What is CVE-2024-25126 About?
This vulnerability is a Regular Expression Denial of Service (ReDoS) affecting the `Rack::MediaType` component, specifically its `SPLIT_PATTERN` regular expression. A simple HTTP request with a large number of blank characters in the `Content-Type` header can cause the regex to take an excessive amount of time, leading to a denial of service. The vulnerability is easy to exploit with crafted input.
Affected Software
- rack
- >=3.0.0, <3.0.9.1
- >=0.4, <2.2.8.1
Technical Details
The vulnerability lies within the SPLIT_PATTERN regular expression (%r{\s*[;,]\s*}) used by Rack::MediaType to parse HTTP Content-Type headers. When a Content-Type header contains a large number of blank characters (e.g., 50,000 spaces) before a comma or semicolon, the backtracking mechanism of the regular expression engine can lead to exponential time complexity. This causes the parsing operation to become extremely slow, consuming CPU resources and leading to a denial of service for the affected application.
What is the Impact of CVE-2024-25126?
Successful exploitation may allow attackers to degrade application performance, render services unavailable, or cause a complete shutdown of the affected system, disrupting legitimate user access and business operations.
What is the Exploitability of CVE-2024-25126?
Exploitation of this ReDoS vulnerability is of low complexity. It requires no authentication and no special privileges; an attacker simply needs to send an HTTP request with a specially crafted Content-Type header. This is a remote vulnerability, as the attack is launched by sending a malicious HTTP request. The presence of the vulnerable regular expression within Rack::MediaType and its processing of untrusted Content-Type headers are the key factors increasing exploitation likelihood.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-25126?
Available Upgrade Options
- rack
- >=0.4, <2.2.8.1 → Upgrade to 2.2.8.1
- rack
- >=3.0.0, <3.0.9.1 → Upgrade to 3.0.9.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
- https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462
- https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
- https://security.netapp.com/advisory/ntap-20240510-0005/
- https://github.com/rack/rack
- https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
- https://security.netapp.com/advisory/ntap-20240510-0005
- https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49
What are Similar Vulnerabilities to CVE-2024-25126?
Similar Vulnerabilities: CVE-2023-22799 , CVE-2025-61921 , CVE-2020-8186 , CVE-2020-5267 , CVE-2023-0309
