CVE-2024-47888

See a problem?
Please try reporting it to the source first.
Source
https://nvd.nist.gov/vuln/detail/CVE-2024-47888
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2024-47888.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2024-47888
Aliases
Downstream
Related
Published
2024-10-16T20:31:06Z
Modified
2025-10-09T18:06:41.778470Z
Severity
  • 6.6 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U CVSS Calculator
Summary
Action Text has possible ReDoS vulnerability in plain_text_for_blockquote_node
Details

Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling plain_text_for_blockquote_node or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

References

Affected packages

Git / github.com/rails/rails

Affected ranges

Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
66cabeda2c46c582d19738e1318be8d59584cc5b
Fixed
b2fbbfbcaa3d662c68a9ee21ab6cf95eccc2b4ec
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
984c3ef2775781d47efa9f541ce570daa2434a80
Fixed
f61f4ef957f80e1668797fce8a2393f3edb7ed76
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
5b5f0da552f62e85e31e2d747d52aed2a3133f48
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
a1f6a13f691e0929d40b7e1b1e0d31aa69778128
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
66cabeda2c46c582d19738e1318be8d59584cc5b
Fixed
b2fbbfbcaa3d662c68a9ee21ab6cf95eccc2b4ec
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
984c3ef2775781d47efa9f541ce570daa2434a80
Fixed
f61f4ef957f80e1668797fce8a2393f3edb7ed76
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
d39db5d1891f7509cde2efc425c9d69bbb77e670
Fixed
5b5f0da552f62e85e31e2d747d52aed2a3133f48
Type
GIT
Repo
https://github.com/rails/rails
Events
Introduced
fb6c4305939da06efdf2893d99130e7829c53e8b
Fixed
a1f6a13f691e0929d40b7e1b1e0d31aa69778128

Affected versions

v7.*

v7.0.0
v7.0.1
v7.0.2
v7.0.2.1
v7.0.2.2
v7.0.2.3
v7.0.2.4
v7.0.3
v7.0.3.1
v7.0.4
v7.0.4.1
v7.0.4.2
v7.0.4.3
v7.0.5
v7.0.5.1
v7.0.6
v7.0.7
v7.0.7.1
v7.0.7.2
v7.0.8
v7.0.8.1
v7.0.8.2
v7.0.8.3
v7.0.8.4
v7.1.0
v7.1.1
v7.1.2
v7.1.3
v7.1.3.1
v7.1.3.2
v7.1.3.3
v7.1.3.4
v7.1.4
v7.2.0
v7.2.1