CVE-2024-39316

Name of the Vulnerable Software and Affected Versions Rack versions 3.1.0 through 3.1.4 Rack versions prior to 2.0.9.4 Rack versions prior to 2.1.4.4 Rack versions prior to 2.2.8.1 Rack versions prior to 3.0.9.1

Description A Regular Expression Denial of Service (ReDoS) vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted Accept-Encoding or Accept-Language headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).

Recommendations For Rack versions 3.1.0 through 3.1.4, upgrade to version 3.1.5 to receive the fix. For Rack versions prior to 2.0.9.4, apply the 2-0-header-redos.patch or upgrade to version 2.0.9.4. For Rack versions prior to 2.1.4.4, apply the 2-1-header-redos.patch or upgrade to version 2.1.4.4. For Rack versions prior to 2.2.8.1, apply the 2-2-header-redos.patch or upgrade to version 2.2.8.1. For Rack versions prior to 3.0.9.1, apply the 3-0-header-redos.patch or upgrade to version 3.0.9.1. As a temporary workaround, consider restricting access to the Rack::Request::Helpers module until a patch is available. Avoid using the Accept-Encoding and Accept-Language headers in the affected API endpoints until the issue is resolved.