CVE-2024-25126

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.8.1 Rack versions prior to 3.0.9.1

Description The issue is related to a denial of service vulnerability in Rack's content type parsing, where carefully crafted content type headers can cause the media type parser to take longer than expected. This can lead to a possible denial of service vulnerability, specifically a ReDos 2nd degree polynomial.

Recommendations For versions prior to 2.2.8.1, update to version 2.2.8.1 to resolve the issue. For versions prior to 3.0.9.1, update to version 3.0.9.1 to resolve the issue. As a temporary workaround, consider restricting access to the Content-Type header to minimize the risk of exploitation.

Exploit

Fix

DoS

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-1333

Related Identifiers

ALSA-2024:2113

ALSA-2024:2953

ALSA-2024_2113

ALSA-2024_2953

BDU:2024-01715

CESA-2024_2953

CVE-2024-25126

DLA-3800-1

DSA-5698-1

GHSA-22F2-V57C-J9CX

INFSA-2024_2113

INFSA-2024_2953

MGASA-2024-0123

OESA-2024-2032

OESA-2024-2033

OESA-2024-2034

OESA-2024-2035

OPENSUSE-SU-2024:13726-1

OPENSUSE-SU-2024:13727-1

OPENSUSE-SU-2024_0765-1

OPENSUSE-SU-2025:14811-1

OPENSUSE-SU-2025:14875-1

OPENSUSE-SU-2026:10286-1

OPENSUSE-SU-2026:10358-1

RHSA-2024:10806

RHSA-2024:1841

RHSA-2024:1846

RHSA-2024:2007

RHSA-2024:2113

RHSA-2024:2581

RHSA-2024:2584

RHSA-2024:2953

RHSA-2024:3431

RHSA-2024_2113

RHSA-2024_2953

RLSA-2024:2953

SUSE-SU-2024:0765-1

SUSE-SU-2024:0946-1

SUSE-SU-2024:1131-1

SUSE-SU-2024_0765-1

SUSE-SU-2024_0946-1

USN-6837-1

USN-6837-2

USN-7036-1

Affected Products

Almalinux

Astra Linux

Centos

Linuxmint

Rack

Red Hat

Red Os

Rocky Linux

Suse

Ubuntu

CVE-2024-25126

Weakness Enumeration

Related Identifiers

Affected Products

References · 128