Ruby On Rails · Action Mailer · CVE-2024-47889
**Name of the Vulnerable Software and Affected Versions**
Action Mailer versions 3.0.0 through 6.1.7.8
Action Mailer versions 7.0.0 through 7.0.8.4
Action Mailer versions 7.1.0 through 7.1.4.0
Action Mailer versions 7.2.0 through 7.2.1.0
**Description**
The issue is related to the block format helper in Action Mailer, which has a possible ReDoS vulnerability. This vulnerability can cause the block format helper to take an unexpected amount of time when processing carefully crafted text, possibly resulting in a DoS vulnerability. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.
**Recommendations**
For Action Mailer versions 3.0.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch immediately.
For Action Mailer versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch immediately.
For Action Mailer versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch immediately.
For Action Mailer versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch immediately.
As a temporary workaround, users can avoid calling the `block format` helper.
Users can also upgrade to Ruby 3.2, which has mitigations for this problem.