Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-3hur-esmy-x3hr
Vulnerability ID VCID-3hur-esmy-x3hr
Aliases CVE-2024-47888
GHSA-wwhv-wxv9-rpgw
Summary Possible ReDoS vulnerability in plain_text_for_blockquote_node in Action Text There is a possible ReDoS vulnerability in the plain_text_for_blockquote_node helper in Action Text. This vulnerability has been assigned the CVE identifier CVE-2024-47888. Impact ------ Carefully crafted text can cause the plain_text_for_blockquote_node helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2 Credits ------- Thanks to [ooooooo_q](https://hackerone.com/ooooooo_q) for the report!
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1333 Inefficient Regular Expression Complexity
CWE-1337 Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
epss 0.00517 https://api.first.org/data/v1/epss?cve=CVE-2024-47888
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
cvssv4 6.6 https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails
cvssv4 6.6 https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
ssvc Track https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
cvssv4 6.6 https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
ssvc Track https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
cvssv4 6.6 https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
ssvc Track https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
cvssv4 6.6 https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
ssvc Track https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
cvssv3.1_qr MODERATE https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
cvssv4 6.6 https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
generic_textual MODERATE https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
ssvc Track https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
cvssv4 6.6 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
https://api.first.org/data/v1/epss?cve=CVE-2024-47888
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47888
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
1085376 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
2319035 https://bugzilla.redhat.com/show_bug.cgi?id=2319035
4f4312b21a6448336de7c7ab0c4d94b378def468 https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
727b0946c3cab04b825c039435eac963d4e91822 https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
CVE-2024-47888 https://nvd.nist.gov/vuln/detail/CVE-2024-47888
de0df7caebd9cb238a6f10dca462dc5f8d5e98b5 https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
GHSA-wwhv-wxv9-rpgw https://github.com/advisories/GHSA-wwhv-wxv9-rpgw
USN-7290-1 https://usn.ubuntu.com/7290-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47888.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/ Found at https://github.com/rails/rails/commit/4f4312b21a6448336de7c7ab0c4d94b378def468
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/ Found at https://github.com/rails/rails/commit/727b0946c3cab04b825c039435eac963d4e91822
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/ Found at https://github.com/rails/rails/commit/ba286c0a310b7f19cf5cac2a7a4c9def5cf9882e
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/ Found at https://github.com/rails/rails/commit/de0df7caebd9cb238a6f10dca462dc5f8d5e98b5
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-16T20:45:54Z/ Found at https://github.com/rails/rails/security/advisories/GHSA-wwhv-wxv9-rpgw
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actiontext/CVE-2024-47888.yml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.66646
EPSS Score 0.00517
Published At April 7, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:22.774025+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-wwhv-wxv9-rpgw/GHSA-wwhv-wxv9-rpgw.json 38.0.0