GMS-2023-769: Possible Denial of Service Vulnerability in Rack’s header parsing

March 15, 2023

There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

References

discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
github.com/advisories/GHSA-c6qg-cjj8-47qp
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
nvd.nist.gov/vuln/detail/CVE-2023-27539

Detect and mitigate GMS-2023-769 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →