CVE-2024-41128

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-41128
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-41128.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-41128
Aliases
Downstream
Related
Published
2024-10-16T18:04:42Z
Modified
2025-10-09T12:57:36.186308Z
Severity
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Action Dispatch has possible ReDoS vulnerability in query parameter filtering
Details

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
505e84599aff6abf719484636b0515e1ce2e2220
Fixed
b2fbbfbcaa3d662c68a9ee21ab6cf95eccc2b4ec
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
984c3ef2775781d47efa9f541ce570daa2434a80
Fixed
f61f4ef957f80e1668797fce8a2393f3edb7ed76
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
5b5f0da552f62e85e31e2d747d52aed2a3133f48
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
a1f6a13f691e0929d40b7e1b1e0d31aa69778128
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
505e84599aff6abf719484636b0515e1ce2e2220
Last affected
b2fbbfbcaa3d662c68a9ee21ab6cf95eccc2b4ec
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
984c3ef2775781d47efa9f541ce570daa2434a80
Fixed
f61f4ef957f80e1668797fce8a2393f3edb7ed76
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
5b5f0da552f62e85e31e2d747d52aed2a3133f48
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
a1f6a13f691e0929d40b7e1b1e0d31aa69778128

Affected versions

v7.*

v7.0.0
v7.0.1
v7.0.2
v7.0.2.1
v7.0.2.2
v7.0.2.3
v7.0.2.4
v7.0.3
v7.0.3.1
v7.0.4
v7.0.4.1
v7.0.4.2
v7.0.4.3
v7.0.5
v7.0.5.1
v7.0.6
v7.0.7
v7.0.7.1
v7.0.7.2
v7.0.8
v7.0.8.1
v7.0.8.2
v7.0.8.3
v7.0.8.4
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.3.1
v7.1.3.2
v7.1.3.3
v7.1.3.4
v7.1.4
v7.2.0
v7.2.1