High severity7.5NVD Advisory· Published Feb 16, 2016· Updated May 6, 2026
CVE-2016-0751
CVE-2016-0751
Description
actionpack/lib/action_dispatch/http/mime_type.rb in Action Pack in Ruby on Rails before 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1 does not properly restrict use of the MIME type cache, which allows remote attackers to cause a denial of service (memory consumption) via a crafted HTTP Accept header.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 4.2.0, < 4.2.5.1 | 4.2.5.1 |
actionpackRubyGems | < 3.2.22.1 | 3.2.22.1 |
actionpackRubyGems | >= 4.0.0, < 4.1.14.1 | 4.1.14.1 |
Affected products
68cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*+ 59 more
- cpe:2.3:a:rubyonrails:rails:4.0.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:beta:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.10:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.6:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.0.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:-:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.10:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.2:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.6:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.7:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.8:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.1.9:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:beta4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.0:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc3:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.1:rc4:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.2:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.3:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.3:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.4:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.4:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:4.2.5:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:rails:5.0.0:beta1:*:*:*:*:*:*
cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*+ 7 more
- cpe:2.3:a:rubyonrails:ruby_on_rails:*:*:*:*:*:*:*:*range: <=3.2.22
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.10:rc2:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.11.1:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.12:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:*:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.0.13:rc1:*:*:*:*:*:*
- cpe:2.3:a:rubyonrails:ruby_on_rails:4.1.11:*:*:*:*:*:*:*
Patches
3221937c8ba1dhttps://github.com/rails/railsvia ghsa
127967b73581https://github.com/rails/railsvia ghsa
37047b779a17https://github.com/rails/railsvia ghsa
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
20- github.com/advisories/GHSA-ffpv-c4hm-3x6vghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2016-0751ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2016-February/178043.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2016-February/178067.htmlnvdWEB
- lists.opensuse.org/opensuse-security-announce/2016-04/msg00053.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2016-02/msg00034.htmlnvdWEB
- lists.opensuse.org/opensuse-updates/2016-02/msg00043.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2016-0296.htmlnvdWEB
- www.debian.org/security/2016/dsa-3464nvdWEB
- www.openwall.com/lists/oss-security/2016/01/25/9nvdWEB
- github.com/rails/rails/commit/127967b735813cd4f263df7a50426d74e7e9cc17ghsaWEB
- github.com/rails/rails/commit/221937c8ba1d291430ceddebbd4bdef7d3cb47d6ghsaWEB
- github.com/rails/rails/commit/37047b779a177b911c7161052cfc34a30e1db0afghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2016-0751.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- groups.google.com/forum/message/rawnvdWEB
- web.archive.org/web/20160128201702/http://www.securitytracker.com/id/1034816ghsaWEB
- web.archive.org/web/20200227181647/http://www.securityfocus.com/bid/81800ghsaWEB
- www.securityfocus.com/bid/81800nvd
- www.securitytracker.com/id/1034816nvd
News mentions
0No linked articles in our index yet.