High severity7.5NVD Advisory· Published Feb 16, 2016· Updated Jun 17, 2026
CVE-2015-7581
CVE-2015-7581
Description
actionpack/lib/action_dispatch/routing/route_set.rb in Action Pack in Ruby on Rails 4.x before 4.2.5.1 and 5.x before 5.0.0.beta1.1 allows remote attackers to cause a denial of service (superfluous caching and memory consumption) by leveraging an application's use of a wildcard controller route.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 4.0.0, < 4.2.5.1 | 4.2.5.1 |
Affected products
45cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*+ 40 more
- cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*
- ghsa-coords4 versionspkg:gem/actionpackpkg:rpm/suse/portus&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/rubygem-actionpack-4_1&distro=SUSE%20OpenStack%20Cloud%205pkg:rpm/suse/rubygem-actionpack-4_2&distro=SUSE%20Enterprise%20Storage%202.1
>= 4.0.0, < 4.2.5.1+ 3 more
- (no CPE)range: >= 4.0.0, < 4.2.5.1
- (no CPE)range: < 2.0.3-2.4
- (no CPE)range: < 4.1.9-9.1
- (no CPE)range: < 4.2.2-6.1
Patches
Vulnerability mechanics
References
16- github.com/advisories/GHSA-9h6g-gp95-x3q5ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2015-7581ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2016-02/msg00043.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0296.htmlnvdWEB
- www.debian.org/security/2016/dsa-3464nvdWEB
- www.openwall.com/lists/oss-security/2016/01/25/16nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2015-7581.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/message/rawnvdWEB
- web.archive.org/web/20200228001849/http://www.securityfocus.com/bid/81677ghsaWEB
- web.archive.org/web/20200516093752/http://www.securitytracker.com/id/1034816ghsaWEB
- www.securityfocus.com/bid/81677nvd
- www.securitytracker.com/id/1034816nvd
News mentions
0No linked articles in our index yet.