Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-yy6t-ybeu-qycc
Vulnerability ID VCID-yy6t-ybeu-qycc
Aliases CVE-2024-47889
GHSA-h47h-mwp9-c6q6
Summary Possible ReDoS vulnerability in block_format in Action Mailer There is a possible ReDoS vulnerability in the block_format helper in Action Mailer. This vulnerability has been assigned the CVE identifier CVE-2024-47889. Impact ------ Carefully crafted text can cause the block_format helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade or apply the relevant patch immediately. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 requires Ruby 3.2 or greater so is unaffected. Releases -------- The fixed releases are available at the normal locations. Workarounds ----------- Users can avoid calling the `block_format` helper or upgrade to Ruby 3.2 Credits ------- Thanks to yuki_osaki for the report!
Status Published
Exploitability 0.5
Weighted Severity 6.2
Risk 3.1
Affected and Fixed Packages Package Details
Weaknesses (4)
CWE-1333 Inefficient Regular Expression Complexity
CWE-1337 Weaknesses in the 2021 CWE Top 25 Most Dangerous Software Weaknesses
CWE-937 OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035 OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
System Score Found at
cvssv3 3.7 https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
epss 0.00344 https://api.first.org/data/v1/epss?cve=CVE-2024-47889
cvssv3.1 5.9 https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-h47h-mwp9-c6q6
cvssv4 6.6 https://github.com/rails/rails
generic_textual MODERATE https://github.com/rails/rails
cvssv4 6.6 https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
ssvc Track https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
cvssv4 6.6 https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
ssvc Track https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
cvssv4 6.6 https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
ssvc Track https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
cvssv4 6.6 https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
ssvc Track https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
cvssv3.1_qr MODERATE https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
cvssv4 6.6 https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
generic_textual MODERATE https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
ssvc Track https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
cvssv4 6.6 https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
generic_textual MODERATE https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
Reference id Reference type URL
https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
https://api.first.org/data/v1/epss?cve=CVE-2024-47889
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-47889
https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
https://github.com/rails/rails
https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
0e5694f4d32544532d2301a9b4084eacb6986e94 https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
1085376 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1085376
2319033 https://bugzilla.redhat.com/show_bug.cgi?id=2319033
3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3 https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
985f1923fa62806ff676e41de67c3b4552131ab9 https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
be898cc996986decfe238341d96b2a6573b8fd2e https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
CVE-2024-47889 https://nvd.nist.gov/vuln/detail/CVE-2024-47889
GHSA-h47h-mwp9-c6q6 https://github.com/advisories/GHSA-h47h-mwp9-c6q6
USN-7290-1 https://usn.ubuntu.com/7290-1/
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-47889.json
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/ Found at https://github.com/rails/rails/commit/0e5694f4d32544532d2301a9b4084eacb6986e94
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/ Found at https://github.com/rails/rails/commit/3612e3eb3fbafed4f85e1c6ea4c7b6addbb0fdd3
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/ Found at https://github.com/rails/rails/commit/985f1923fa62806ff676e41de67c3b4552131ab9
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/ Found at https://github.com/rails/rails/commit/be898cc996986decfe238341d96b2a6573b8fd2e
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-17T16:27:30Z/ Found at https://github.com/rails/rails/security/advisories/GHSA-h47h-mwp9-c6q6
Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/actionmailer/CVE-2024-47889.yml
Attack Vector (AV) Attack Complexity (AC) Attack Requirements (AT) Privileges Required (PR) User Interaction (UI) Vulnerable System Impact Confidentiality (VC) Vulnerable System Impact Integrity (VI) Vulnerable System Impact Availability (VA) Subsequent System Impact Confidentiality (SC) Subsequent System Impact Integrity (SI) Subsequent System Impact Availability (SA)

network

adjacent

local

physical

low

high

none

present

none

low

high

none

passive

active

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.57047
EPSS Score 0.00344
Published At April 2, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-01T12:49:15.396266+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-h47h-mwp9-c6q6/GHSA-h47h-mwp9-c6q6.json 38.0.0