7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-26141

GHSA ID

GHSA-xj5v-6v4g-jfw6

EPSS Score

0.48563%

CWE

CWE-400

Published

2/28/2024

Updated

2/29/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2024-26141

CVE-2024-26141: Rack has possible DoS Vulnerability with Range Header

Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected: >= 1.3.0. Not affected: < 1.3.0 Fixed Versions: 3.0.9.1, 2.2.8.1

Impact

Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue.

Vulnerable applications will use the Rack::File middleware or the Rack::Utils.byte_ranges methods (this includes Rails applications).

Releases

The fixed releases are available at the normal locations.

Workarounds

There are no feasible workarounds for this issue.

Patches

To aid users who aren't able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

3-0-range.patch - Patch for 3.0 series
2-2-range.patch - Patch for 2.2 series

Credits

Thank you ooooooo_q for the report and patch

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2024-26141

CVE-2024-26141:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2024-26141

GHSA ID

GHSA-xj5v-6v4g-jfw6

EPSS Score

0.48563%

CWE

CWE-400

Published

2/28/2024

Updated

2/29/2024

KEV Status

Technology

Ruby

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	>= 3.0.0, < 3.0.9.1	3.0.9.1
rack	rubygems	>= 1.3.0, < 2.2.8.1	2.2.8.1

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper validation in the Range header processing. The commit diff explicitly modifies get_byte_ranges in lib/rack/utils.rb to add a critical size check. While Rack::File and Rack::Utils.byte_ranges are mentioned as entry points, the root cause is the unpatched get_byte_ranges method. The advisory confirms this by stating applications using these components are vulnerable, and the patch directly targets get_byte_ranges.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

7.5

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2024-26141: Rack has possible DoS Vulnerability with Range Header

Possible DoS Vulnerability with Range Header in Rack

Impact

Releases

Workarounds

Patches

Credits

CVE-2024-26141:

7.5

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

Basic Information

Basic Information

CVE-2024-26141: Rack has possible DoS Vulnerability with Range Header

Possible DoS Vulnerability with Range Header in Rack

Impact

Releases

Workarounds

Patches

Credits

7.5

7.5

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI