CVE-2024-47888

Name of the Vulnerable Software and Affected Versions Action Text versions 6.0.0 through 6.1.7.8 Action Text versions 7.0.0 through 7.0.8.4 Action Text versions 7.1.0 through 7.1.4.0 Action Text versions 7.2.0 through 7.2.1.0

Description The issue is related to the plain text for blockquote node helper in Action Text, which can cause a denial of service due to a possible ReDoS vulnerability. Carefully crafted text can make the plain text for blockquote node helper take an unexpected amount of time. This problem can be mitigated in Ruby 3.2 or newer, so Rails applications using Ruby 3.2 or newer are unaffected.

Recommendations For Action Text versions 6.0.0 through 6.1.7.8, upgrade to version 6.1.7.9 or apply the relevant patch. For Action Text versions 7.0.0 through 7.0.8.4, upgrade to version 7.0.8.5 or apply the relevant patch. For Action Text versions 7.1.0 through 7.1.4.0, upgrade to version 7.1.4.1 or apply the relevant patch. For Action Text versions 7.2.0 through 7.2.1.0, upgrade to version 7.2.1.1 or apply the relevant patch. As a temporary workaround, users can avoid calling plain text for blockquote node or upgrade to Ruby 3.2.