CVE-2024-41128
ReDoS vulnerability in actionpack (RubyGems)
What is CVE-2024-41128 About?
This is a ReDoS (Regular Expression Denial of Service) vulnerability affecting Action Dispatch's query parameter filtering routines. A meticulously crafted query parameter can cause excessive processing time and potentially lead to a Denial of Service (DoS) condition. The exploitation is of medium difficulty, requiring specific input patterns.
Affected Software
- actionpack
- >=3.1.0, <6.1.7.9
- >=7.1.0, <7.1.4.1
- >=7.2.0, <7.2.1.1
- >=7.0.0, <7.0.8.5
Technical Details
The vulnerability exists within the query parameter filtering routines of Action Dispatch. Specifically, it is a Regular Expression Denial of Service (ReDoS) issue. Certain regular expressions used to filter or process query parameters are vulnerable to catastrophic backtracking when faced with 'carefully crafted query parameters'. An attacker can construct a query string that, when processed by the vulnerable regex, causes the regex engine to consume an inordinate amount of CPU resources, leading to a severe slowdown or complete unresponsiveness of the application. This prolonged processing time for a single request can exhaust server resources, preventing legitimate requests from being handled and resulting in a Denial of Service condition.
What is the Impact of CVE-2024-41128?
Successful exploitation may allow attackers to disrupt service availability, causing applications to become unresponsive or crash, leading to a Denial of Service for legitimate users.
What is the Exploitability of CVE-2024-41128?
Exploitation involves sending a specially crafted query parameter to an affected Action Dispatch endpoint. The complexity is moderate, as it requires an understanding of the underlying regular expression used for query parameter filtering. No authentication or specific privileges are required, making this a remote, unauthenticated attack. The primary constraint is precisely crafting the query to trigger the ReDoS. Risk factors are heightened in applications that accept complex or lengthy query parameters without robust input validation, especially if exposed publicly.
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2024-41128?
Available Upgrade Options
- actionpack
- >=3.1.0, <6.1.7.9 → Upgrade to 6.1.7.9
- actionpack
- >=7.0.0, <7.0.8.5 → Upgrade to 7.0.8.5
- actionpack
- >=7.1.0, <7.1.4.1 → Upgrade to 7.1.4.1
- actionpack
- >=7.2.0, <7.2.1.1 → Upgrade to 7.2.1.1
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://bugzilla.redhat.com/show_bug.cgi?id=2319036
- https://access.redhat.com/security/cve/cve-2024-41128
- https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-41128.yml
- https://bugzilla.redhat.com/show_bug.cgi?id=2319036
- https://osv.dev/vulnerability/GHSA-x76w-6vjr-8xgj
- https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
- https://github.com/rails/rails/commit/fb493bebae1a9b83e494fe7edbf01f6167d606fd
- https://github.com/rails/rails/commit/b1241f468d1b32235f438c2e2203386e6efd3891
- https://github.com/rails/rails/security/advisories/GHSA-x76w-6vjr-8xgj
What are Similar Vulnerabilities to CVE-2024-41128?
Similar Vulnerabilities: CVE-2024-47887 , CVE-2023-26116 , CVE-2023-37903 , CVE-2023-38039 , CVE-2023-41006
