CVE-2024-35231: rack-contrib vulnerable to Denial of Service due to the unconstrained value of the incoming "profiler_runs" parameter

May 28, 2024

The next ruby code is vulnerable to denial of service due to the fact that the user controlled data profiler_runs was not contrained to any limitation. Which would lead to allocating resources on the server side with no limitation (CWE-770).

runs = (request.params['profiler_runs'] || @times).to_i
result = @profile.profile do
runs.times { @app.call(env) }
end

An exploit as such curl --fail "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time" may cause resource exhaution by a remotely controlled value.

References

github.com/advisories/GHSA-8c8q-2xw3-j869
github.com/rack/rack-contrib
github.com/rack/rack-contrib/commit/0eec2a9836329051c6742549e65a94a4c24fe6f7
github.com/rack/rack-contrib/security/advisories/GHSA-8c8q-2xw3-j869
nvd.nist.gov/vuln/detail/CVE-2024-35231

Code Behaviors & Features

Detect and mitigate CVE-2024-35231 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →