Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-hppf-a715-r7b2
Vulnerability ID VCID-hppf-a715-r7b2
Aliases CVE-2023-22795
GHSA-8xww-x3g3-6jcv
GMS-2023-56
Summary ReDoS based DoS vulnerability in Action Dispatch There is a possible regular expression based DoS vulnerability in Action Dispatch related to the If-None-Match header. This vulnerability has been assigned the CVE identifier CVE-2023-22795. A specially crafted HTTP `If-None-Match` header can cause the regular expression engine to enter a state of catastrophic backtracking, when on a version of Ruby below 3.2.0. This can cause the process to use large amounts of CPU and memory, leading to a possible DoS vulnerability All users running an affected release should either upgrade or use one of the workarounds immediately.
Status Published
Exploitability 0.5
Weighted Severity 6.8
Risk 3.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-1333 Inefficient Regular Expression Complexity
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 7.5 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
epss 0.01523 https://api.first.org/data/v1/epss?cve=CVE-2023-22795
generic_textual LOW https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
cvssv3.1 7.5 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr LOW https://github.com/advisories/GHSA-8xww-x3g3-6jcv
generic_textual LOW https://github.com/rails/rails
generic_textual LOW https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
generic_textual LOW https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
generic_textual LOW https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
generic_textual LOW https://github.com/rails/rails/releases/tag/v6.1.7.1
generic_textual LOW https://github.com/rails/rails/releases/tag/v7.0.4.1
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2023-22795
generic_textual LOW https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
https://api.first.org/data/v1/epss?cve=CVE-2023-22795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22942
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44528
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21831
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-22577
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23633
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-27777
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22792
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22794
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22795
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22796
https://discuss.rubyonrails.org/t/cve-2023-22795-possible-redos-based-dos-vulnerability-in-action-dispatch/82118
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/commit/8d82687f3b04b2803320b64f985308239a8c3d2f
https://github.com/rails/rails/commit/8dc45950619a4c64d16fb9370570c996d201f9b0
https://github.com/rails/rails/commit/cd461c3e64e09cdcb1e379d1c35423c5e2caa592
https://github.com/rails/rails/releases/tag/v6.1.7.1
https://github.com/rails/rails/releases/tag/v7.0.4.1
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2023-22795.yml
https://rubyonrails.org/2023/1/17/Rails-Versions-6-0-6-1-6-1-7-1-7-0-4-1-have-been-released
1030050 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1030050
2164799 https://bugzilla.redhat.com/show_bug.cgi?id=2164799
CVE-2023-22795 https://nvd.nist.gov/vuln/detail/CVE-2023-22795
GHSA-8xww-x3g3-6jcv https://github.com/advisories/GHSA-8xww-x3g3-6jcv
RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-22795.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.8121
EPSS Score 0.01523
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:50:52.533483+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/actionpack/GMS-2023-56.yml 38.0.0