Advisories for Gem/Unpoly-Rails package

2023

Uncontrolled Resource Consumption

Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks. The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs …