CVE-2024-35231

Name of the Vulnerable Software and Affected Versions rack-contrib versions prior to 2.5.0

Description The issue is related to a denial of service vulnerability due to the lack of constraints on user-controlled data profiler runs. This allows for the allocation of resources on the server side with no limitation, potentially leading to a denial of service by remotely controlled data. The vulnerability is caused by the fact that the profiler runs variable is not constrained to any limitation, which would lead to allocating resources on the server side with no limitation.

Recommendations For versions prior to 2.5.0, update to version 2.5.0 or later, which contains a patch for the issue. As a temporary workaround, consider restricting access to the Rack::Profiler middleware to minimize the risk of exploitation. Avoid using the profiler runs parameter in the affected API endpoint until the issue is resolved.