PT-2021-4061 · Ruby+1 · Action Pack+1
Published
2021-05-01
·
Updated
2025-09-29
·
CVE-2021-22902
CVSS v3.1
7.5
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
Name of the Vulnerable Software and Affected Versions
actionpack ruby gem versions 6.0.0 through 6.0.3.6
actionpack ruby gem versions 6.1.0 through 6.1.3.1
Description
The issue is related to a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine. This can lead to an uncontrolled consumption of resources, potentially allowing a remote attacker to cause a denial of service.
Recommendations
For actionpack ruby gem versions 6.0.0 through 6.0.3.6, apply the provided patch 6-0-Prevent-catastrophic-backtracking-during-mime-parsin.patch to prevent catastrophic backtracking during mime parsing.
For actionpack ruby gem versions 6.1.0 through 6.1.3.1, apply the provided patch 6-1-Prevent-catastrophic-backtracking-during-mime-parsin.patch to prevent catastrophic backtracking during mime parsing.
As a temporary workaround, consider using the monkey patch placed in an initializer to work around the issue.
Exploit
Fix
DoS
Resource Exhaustion
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Alt Linux
Action Pack