GoogleOSV:GHSA-22F2-V57C-J9CXRack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%
Summary
module Rack
class MediaType
SPLIT_PATTERN = %r{\s*[;,]\s*}
The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.
PoC
A simple HTTP request with lots of blank characters in the content-type header:
request["Content-Type"] = (" " * 50_000) + "a,"
Impact
It’s a very easy to craft ReDoS. Like all ReDoS the impact is debatable.
References
discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941
github.com/rack/rack
github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462
github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49
github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml
lists.debian.org/debian-lts-announce/2024/04/msg00022.html
nvd.nist.gov/vuln/detail/CVE-2024-25126
security.netapp.com/advisory/ntap-20240510-0005
Related
5.3 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
NONE
Integrity Impact
NONE
Availability Impact
LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
5.1 Medium
AI Score
Confidence
High
0.0004 Low
EPSS
Percentile
10.5%