High severity7.5NVD Advisory· Published Sep 6, 2017· Updated May 13, 2026

CVE-2014-6438

Description

The URI.decode_www_form_component method in Ruby before 1.9.2-p330 allows remote attackers to cause a denial of service (catastrophic regular expression backtracking, resource consumption, or application crash) via a crafted string.

Affected products

Ruby Lang/Ruby
cpe:2.3:a:ruby-lang:ruby:*:*:*:*:*:*:*:*
Range: <=1.9.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.ruby-lang.org/en/news/2014/08/19/ruby-1-9-2-p330-released/nvdPatchRelease NotesVendor Advisory
www.securitytracker.com/id/1032874nvdThird Party AdvisoryVDB Entry
github.com/ruby/www.ruby-lang.org/issues/817nvdThird Party Advisory
www.openwall.com/lists/oss-security/2015/07/13/6nvdMailing ListVDB Entry

News mentions

No linked articles in our index yet.

cvss	0.488
epss	0.001
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000