Possible ReDoS Vulnerability in Action Mailer's Block Format Helper
CVE-2024-47889

Currently unrated

Key Information:

Vendor

Rails

Status
Rails
Vendor
CVE Published:
16 October 2024

What is CVE-2024-47889?

A ReDoS (Regular Expression Denial of Service) vulnerability exists within the block_format helper in the Action Mailer framework, affecting versions 3.0.0 through the specified upper bounds. Attackers can exploit this vulnerability through specially crafted input, leading to significant delays in processing, which can result in Denial of Service conditions. To mitigate risks, it is essential for users of affected versions to upgrade to the recommended secure releases or apply necessary patches. Alternatively, utilizing Ruby version 3.2 or higher, which includes mitigations for this issue, can help prevent such exploits.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

rails >= 3.0.0, < 6.1.7.9 < 3.0.0, 6.1.7.9

rails >= 7.0.0, < 7.0.8.5 < 7.0.0, 7.0.8.5

rails >= 7.1.0, < 7.1.4.1 < 7.1.0, 7.1.4.1

References

https://github.com/rails/rails/security/advisories/GHSA-h...
x_refsource_CONFIRM
https://github.com/rails/rails/commit/0e5694f4d32544532d2...
x_refsource_MISC
https://github.com/rails/rails/commit/3612e3eb3fbafed4f85...
x_refsource_MISC

Timeline

  • Vulnerability published

JSON
.