VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-gtzk-m9rm-57hw

Essentials
Severities (39)
References (32)
Severity details (31)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-gtzk-m9rm-57hw
Aliases	CVE-2024-26146 GHSA-54rr-7fvw-6x8f
Summary	Rack Header Parsing leads to Possible Denial of Service Vulnerability # Possible Denial of Service Vulnerability in Rack Header Parsing There is a possible denial of service vulnerability in the header parsing routines in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26146. Versions Affected: All. Not affected: None Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1 Impact ------ Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- There are no feasible workarounds for this issue. Patches ------- To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset. * 2-0-header-redos.patch - Patch for 2.0 series * 2-1-header-redos.patch - Patch for 2.1 series * 2-2-header-redos.patch - Patch for 2.2 series * 3-0-header-redos.patch - Patch for 3.0 series Credits ------- Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and providing patches!
Status	Published
Exploitability	0.5
Weighted Severity	4.8
Risk	2.4
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-1333	Inefficient Regular Expression Complexity
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	5.3	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00699	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00714	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00714	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00714	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00775	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00775	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
epss	0.00775	https://api.first.org/data/v1/epss?cve=CVE-2024-26146
cvssv3.1	5.3	https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
generic_textual	LOW	https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
ssvc	Track	https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
cvssv3.1	5.3	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	LOW	https://github.com/advisories/GHSA-54rr-7fvw-6x8f
generic_textual	LOW	https://github.com/rack/rack
cvssv3.1	5.3	https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
generic_textual	LOW	https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
ssvc	Track	https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
cvssv3.1	5.3	https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
generic_textual	LOW	https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
ssvc	Track	https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
cvssv3.1	5.3	https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
generic_textual	LOW	https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
ssvc	Track	https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
cvssv3.1	5.3	https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
generic_textual	LOW	https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
ssvc	Track	https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
cvssv3.1	5.3	https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
cvssv3.1_qr	LOW	https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
generic_textual	LOW	https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
ssvc	Track	https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
cvssv3.1	5.3	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
generic_textual	LOW	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
ssvc	Track	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
cvssv3.1	5.3	https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
ssvc	Track	https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html
generic_textual	LOW	https://nvd.nist.gov/vuln/detail/CVE-2024-26146
cvssv3.1	5.3	https://security.netapp.com/advisory/ntap-20240510-0006/
ssvc	Track	https://security.netapp.com/advisory/ntap-20240510-0006/

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
		https://api.first.org/data/v1/epss?cve=CVE-2024-26146
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
		https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rack/rack
		https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
		https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
		https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
		https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
		https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
		https://nvd.nist.gov/vuln/detail/CVE-2024-26146
1064516		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
2265595		https://bugzilla.redhat.com/show_bug.cgi?id=2265595
GHSA-54rr-7fvw-6x8f		https://github.com/advisories/GHSA-54rr-7fvw-6x8f
ntap-20240510-0006		https://security.netapp.com/advisory/ntap-20240510-0006/
RHSA-2024:10806		https://access.redhat.com/errata/RHSA-2024:10806
RHSA-2024:1841		https://access.redhat.com/errata/RHSA-2024:1841
RHSA-2024:1846		https://access.redhat.com/errata/RHSA-2024:1846
RHSA-2024:2007		https://access.redhat.com/errata/RHSA-2024:2007
RHSA-2024:2113		https://access.redhat.com/errata/RHSA-2024:2113
RHSA-2024:2581		https://access.redhat.com/errata/RHSA-2024:2581
RHSA-2024:2584		https://access.redhat.com/errata/RHSA-2024:2584
RHSA-2024:2953		https://access.redhat.com/errata/RHSA-2024:2953
RHSA-2024:3431		https://access.redhat.com/errata/RHSA-2024:3431
USN-6689-1		https://usn.ubuntu.com/6689-1/
USN-6837-1		https://usn.ubuntu.com/6837-1/
USN-6837-2		https://usn.ubuntu.com/6837-2/
USN-7036-1		https://usn.ubuntu.com/7036-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://security.netapp.com/advisory/ntap-20240510-0006/

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/ Found at https://security.netapp.com/advisory/ntap-20240510-0006/

Exploit Prediction Scoring System (EPSS)

Percentile	0.71937
EPSS Score	0.00699
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:50:21.101903+00:00	GithubOSV Importer	Import	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/02/GHSA-54rr-7fvw-6x8f/GHSA-54rr-7fvw-6x8f.json	38.0.0