VulnerableCode Package Details - pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-7zgg-tvu3-r7gt	Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial) ### Summary ```ruby module Rack class MediaType SPLIT_PATTERN = %r{\s[;,]\s} ``` The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split. ### PoC A simple HTTP request with lots of blank characters in the content-type header: ```ruby request["Content-Type"] = (" " * 50_000) + "a," ``` ### Impact It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.	CVE-2024-25126 GHSA-22f2-v57c-j9cx
VCID-arac-j5h5-zkcu	Rack has possible DoS Vulnerability with Range Header # Possible DoS Vulnerability with Range Header in Rack There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141. Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1 Impact ------ Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-0-range.patch - Patch for 3.0 series * 2-2-range.patch - Patch for 2.2 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and patch	CVE-2024-26141 GHSA-xj5v-6v4g-jfw6
VCID-gtzk-m9rm-57hw	Rack Header Parsing leads to Possible Denial of Service Vulnerability # Possible Denial of Service Vulnerability in Rack Header Parsing There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 Impact ------ Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-0-header-redos.patch - Patch for 2.0 series * 2-1-header-redos.patch - Patch for 2.1 series * 2-2-header-redos.patch - Patch for 2.2 series * 3-0-header-redos.patch - Patch for 3.0 series Credits ------- Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and providing patches!	CVE-2024-26146 GHSA-54rr-7fvw-6x8f

Vulnerability

Summary

Aliases

VCID-7zgg-tvu3-r7gt

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial) ### Summary ```ruby module Rack class MediaType SPLIT_PATTERN = %r{\s*[;,]\s*} ``` The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split. ### PoC A simple HTTP request with lots of blank characters in the content-type header: ```ruby request["Content-Type"] = (" " * 50_000) + "a," ``` ### Impact It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

CVE-2024-25126
GHSA-22f2-v57c-j9cx

VCID-arac-j5h5-zkcu

Rack has possible DoS Vulnerability with Range Header # Possible DoS Vulnerability with Range Header in Rack There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141. Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1 Impact ------ Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 3-0-range.patch - Patch for 3.0 series * 2-2-range.patch - Patch for 2.2 series Credits ------- Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and patch

CVE-2024-26141
GHSA-xj5v-6v4g-jfw6

VCID-gtzk-m9rm-57hw

Rack Header Parsing leads to Possible Denial of Service Vulnerability # Possible Denial of Service Vulnerability in Rack Header Parsing There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 Impact ------ Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-0-header-redos.patch - Patch for 2.0 series * 2-1-header-redos.patch - Patch for 2.1 series * 2-2-header-redos.patch - Patch for 2.2 series * 3-0-header-redos.patch - Patch for 3.0 series Credits ------- Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and providing patches!

CVE-2024-26146
GHSA-54rr-7fvw-6x8f

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T09:32:50.371292+00:00	Debian Importer	Fixing	VCID-arac-j5h5-zkcu	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:32:46.766912+00:00	Debian Importer	Fixing	VCID-7zgg-tvu3-r7gt	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:09:15.801141+00:00	Debian Importer	Fixing	VCID-gtzk-m9rm-57hw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-11T18:21:52.796122+00:00	Debian Importer	Fixing	VCID-arac-j5h5-zkcu	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:21:50.998739+00:00	Debian Importer	Fixing	VCID-7zgg-tvu3-r7gt	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:07:44.569199+00:00	Debian Importer	Fixing	VCID-gtzk-m9rm-57hw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:52:20.223276+00:00	Debian Importer	Fixing	VCID-gtzk-m9rm-57hw	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:20.158454+00:00	Debian Importer	Fixing	VCID-arac-j5h5-zkcu	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:20.092741+00:00	Debian Importer	Fixing	VCID-7zgg-tvu3-r7gt	https://security-tracker.debian.org/tracker/data/json	38.1.0