Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-xkah-9nv9-wufd
Vulnerability ID VCID-xkah-9nv9-wufd
Aliases CVE-2023-27539
GHSA-c6qg-cjj8-47qp
GMS-2023-769
Summary Possible Denial of Service Vulnerability in Rack’s header parsing There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.
Status Published
Exploitability 0.5
Weighted Severity 4.8
Risk 2.4
Affected and Fixed Packages Package Details
Weaknesses (3)
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1333 Inefficient Regular Expression Complexity
System Score Found at
cvssv3 5.3 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
epss 0.00328 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00328 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00335 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00335 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00335 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00364 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00364 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
epss 0.00364 https://api.first.org/data/v1/epss?cve=CVE-2023-27539
cvssv3.1 5.3 https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
generic_textual LOW https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
ssvc Track https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
cvssv3.1 5.3 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1 5.3 https://github.com/advisories/GHSA-c6qg-cjj8-47qp
cvssv3.1_qr LOW https://github.com/advisories/GHSA-c6qg-cjj8-47qp
ssvc Track https://github.com/advisories/GHSA-c6qg-cjj8-47qp
generic_textual LOW https://github.com/rack/rack
cvssv3.1 5.3 https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
generic_textual LOW https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
ssvc Track https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
cvssv3.1 5.3 https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
generic_textual LOW https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
ssvc Track https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
generic_textual LOW https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
cvssv3.1 5.3 https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
generic_textual LOW https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
ssvc Track https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
generic_textual LOW https://nvd.nist.gov/vuln/detail/CVE-2023-27539
generic_textual LOW https://security.netapp.com/advisory/ntap-20231208-0016
cvssv3.1 5.3 https://security.netapp.com/advisory/ntap-20231208-0016/
ssvc Track https://security.netapp.com/advisory/ntap-20231208-0016/
cvssv3.1 5.3 https://www.debian.org/security/2023/dsa-5530
generic_textual LOW https://www.debian.org/security/2023/dsa-5530
ssvc Track https://www.debian.org/security/2023/dsa-5530
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
https://api.first.org/data/v1/epss?cve=CVE-2023-27539
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rack/rack
https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
https://security.netapp.com/advisory/ntap-20231208-0016
https://www.debian.org/security/2023/dsa-5530
1033264 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
2179649 https://bugzilla.redhat.com/show_bug.cgi?id=2179649
CVE-2023-27539 https://nvd.nist.gov/vuln/detail/CVE-2023-27539
CVE-2023-27539.YML https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
GHSA-c6qg-cjj8-47qp https://github.com/advisories/GHSA-c6qg-cjj8-47qp
ntap-20231208-0016 https://security.netapp.com/advisory/ntap-20231208-0016/
RHSA-2023:1953 https://access.redhat.com/errata/RHSA-2023:1953
RHSA-2023:1961 https://access.redhat.com/errata/RHSA-2023:1961
RHSA-2023:1981 https://access.redhat.com/errata/RHSA-2023:1981
RHSA-2023:2652 https://access.redhat.com/errata/RHSA-2023:2652
RHSA-2023:3082 https://access.redhat.com/errata/RHSA-2023:3082
RHSA-2023:3403 https://access.redhat.com/errata/RHSA-2023:3403
RHSA-2023:3495 https://access.redhat.com/errata/RHSA-2023:3495
RHSA-2023:6818 https://access.redhat.com/errata/RHSA-2023:6818
USN-6689-1 https://usn.ubuntu.com/6689-1/
USN-6905-1 https://usn.ubuntu.com/6905-1/
USN-7036-1 https://usn.ubuntu.com/7036-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/advisories/GHSA-c6qg-cjj8-47qp
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://github.com/advisories/GHSA-c6qg-cjj8-47qp
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://security.netapp.com/advisory/ntap-20231208-0016/
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://security.netapp.com/advisory/ntap-20231208-0016/
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://www.debian.org/security/2023/dsa-5530
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/ Found at https://www.debian.org/security/2023/dsa-5530
Exploit Prediction Scoring System (EPSS)
Percentile 0.55793
EPSS Score 0.00328
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:51:00.768771+00:00 GitLab Importer Import https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/GMS-2023-769.yml 38.0.0