Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-ehbj-aezy-d7h4
Vulnerability ID VCID-ehbj-aezy-d7h4
Aliases CVE-2024-26142
GHSA-jjhx-jhvp-74wq
Summary Rails has possible ReDoS vulnerability in Accept header parsing in Action Dispatch # Possible ReDoS vulnerability in Accept header parsing in Action Dispatch There is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability has been assigned the CVE identifier CVE-2024-26142. Versions Affected: >= 7.1.0, < 7.1.3.1 Not affected: < 7.1.0 Fixed Versions: 7.1.3.1 Impact ------ Carefully crafted Accept headers can cause Accept header parsing in Action Dispatch to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or use one of the workarounds immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 7-1-accept-redox.patch - Patch for 7.1 series Credits ------- Thanks [svalkanov](https://hackerone.com/svalkanov) for the report and patch!
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1333 Inefficient Regular Expression Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-400 Uncontrolled Resource Consumption
System Score Found at
cvssv3 5.9 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
epss 0.03542 https://api.first.org/data/v1/epss?cve=CVE-2024-26142
cvssv3.1 7.5 https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
generic_textual LOW https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
ssvc Track https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr LOW https://github.com/advisories/GHSA-jjhx-jhvp-74wq
generic_textual LOW https://github.com/rails/rails
cvssv3.1 7.5 https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
generic_textual LOW https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
ssvc Track https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
cvssv3.1 7.5 https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
cvssv3.1_qr LOW https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
generic_textual LOW https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
ssvc Track https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
cvssv3.1 7.5 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
ssvc Track https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2024-26142
cvssv3.1 7.5 https://security.netapp.com/advisory/ntap-20240503-0003/
ssvc Track https://security.netapp.com/advisory/ntap-20240503-0003/
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
https://api.first.org/data/v1/epss?cve=CVE-2024-26142
https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
https://nvd.nist.gov/vuln/detail/CVE-2024-26142
2266324 https://bugzilla.redhat.com/show_bug.cgi?id=2266324
GHSA-jjhx-jhvp-74wq https://github.com/advisories/GHSA-jjhx-jhvp-74wq
ntap-20240503-0003 https://security.netapp.com/advisory/ntap-20240503-0003/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26142.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/ Found at https://discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/ Found at https://github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/ Found at https://github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wq
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/ Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.yml
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://security.netapp.com/advisory/ntap-20240503-0003/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-02-28T20:01:00Z/ Found at https://security.netapp.com/advisory/ntap-20240503-0003/
Exploit Prediction Scoring System (EPSS)
Percentile 0.87632
EPSS Score 0.03542
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:18.651432+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-jjhx-jhvp-74wq/GHSA-jjhx-jhvp-74wq.json 38.0.0