VYPR
← All advisories
High severityNVD Advisory· Published Mar 27, 2019· Updated Aug 4, 2024

CVE-2019-5419

CVE-2019-5419

Description

There is a possible denial of service vulnerability in Action View (Rails) <5.2.2.1, <5.1.6.2, <5.0.7.2, <4.2.11.1 where specially crafted accept headers can cause action view to consume 100% cpu and make the server unresponsive.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A specially crafted Accept header can cause a denial of service in Action View (Rails) versions prior to specific patches, leading to high CPU consumption.

Vulnerability

A denial of service vulnerability exists in Action View, a component of Ruby on Rails, in versions <5.2.2.1, <5.1.6.2, <5.0.7.2, and <4.2.11.1. The vulnerability is triggered by specially crafted Accept headers in HTTP requests, causing the server to consume 100% CPU and become unresponsive. The issue lies in how Action View parses and processes these headers, leading to a computational loop that exhausts server resources [4].

Exploitation

An attacker can exploit this vulnerability by sending a single HTTP request with a malformed or specially crafted Accept header to a Rails application running a vulnerable version. No authentication or prior access is required; the attacker only needs network connectivity to the target server. The crafted header causes Action View to enter a high-cost computation path, tying up the server's CPU resources and preventing it from handling legitimate requests [4].

Impact

Successful exploitation results in a denial of service (DoS) condition. The server becomes unresponsive due to 100% CPU consumption, affecting availability for all users. No data is exfiltrated or modified, but the service is effectively taken offline [4].

Mitigation

Upgrade to the patched versions: Action View >=5.2.2.1, >=5.1.6.2, >=5.0.7.2, or >=4.2.11.1. Red Hat issued security advisories (RHSA-2019:0796, RHSA-2019:1147, RHSA-2019:1149) offering updated packages for Red Hat Software Collections and Red Hat Enterprise Linux [1][2][3]. Alternatively, deploy a reverse proxy or web application firewall (WAF) to filter or reject malicious Accept headers as a temporary workaround.

References
  1. https://access.redhat.com/errata/RHSA-2019:1149
  2. https://access.redhat.com/errata/RHSA-2019:1147
  3. https://access.redhat.com/errata/RHSA-2019:0796
  4. NVD - CVE-2019-5419

AI Insight generated on May 22, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionviewRubyGems
>= 4.0.0, < 4.2.11.14.2.11.1
actionviewRubyGems
>= 5.2.0, < 5.2.2.15.2.2.1
actionviewRubyGems
>= 5.1.0, < 5.1.6.25.1.6.2
actionviewRubyGems
>= 5.0.0, < 5.0.7.25.0.7.2
actionviewRubyGems
>= 6.0.0.beta1, < 6.0.0.beta36.0.0.beta3

Affected products

19

Patches

1
f4c70c222218

Only accept formats from registered mime types

https://github.com/rails/railsJohn HawthornMar 5, 2019via ghsa
commit
3 files changed · +23 6
  • actionpack/lib/action_dispatch/http/mime_negotiation.rb+5 0 modified
    @@ -79,6 +79,11 @@ def formats
           else
             [Mime[:html]]
           end
+
+          v = v.select do |format|
+            format.symbol || format.ref == "*/*"
+          end
+
           set_header k, v
         end
       end
  • actionpack/test/controller/mime/respond_to_test.rb+6 4 modified
    @@ -125,7 +125,7 @@ def using_non_conflicting_nested_js_then_js
   def custom_type_handling
     respond_to do |type|
       type.html { render body: "HTML"    }
-      type.custom("application/crazy-xml")  { render body: "Crazy XML"  }
+      type.custom("application/fancy-xml")  { render body: "Fancy XML"  }
       type.all  { render body: "Nothing" }
     end
   end
@@ -314,12 +314,14 @@ def setup
     @request.host = "www.example.com"
     Mime::Type.register_alias("text/html", :iphone)
     Mime::Type.register("text/x-mobile", :mobile)
+    Mime::Type.register("application/fancy-xml", :fancy_xml)
   end
 
   def teardown
     super
     Mime::Type.unregister(:iphone)
     Mime::Type.unregister(:mobile)
+    Mime::Type.unregister(:fancy_xml)
   end
 
   def test_html
@@ -489,10 +491,10 @@ def test_synonyms
   end
 
   def test_custom_types
-    @request.accept = "application/crazy-xml"
+    @request.accept = "application/fancy-xml"
     get :custom_type_handling
-    assert_equal "application/crazy-xml", @response.content_type
-    assert_equal "Crazy XML", @response.body
+    assert_equal "application/fancy-xml", @response.content_type
+    assert_equal "Fancy XML", @response.body
 
     @request.accept = "text/html"
     get :custom_type_handling
  • actionpack/test/controller/new_base/content_negotiation_test.rb+12 2 modified
    @@ -20,9 +20,19 @@ class TestContentNegotiation < Rack::TestCase
       assert_body "Hello world */*!"
     end
 
-    test "Not all mimes are converted to symbol" do
+    test "A js or */* Accept header will return HTML" do
+      get "/content_negotiation/basic/hello", headers: { "HTTP_ACCEPT" => "text/javascript, */*" }
+      assert_body "Hello world text/html!"
+    end
+
+    test "A js or */* Accept header on xhr will return HTML" do
+      get "/content_negotiation/basic/hello", headers: { "HTTP_ACCEPT" => "text/javascript, */*" }, xhr: true
+      assert_body "Hello world text/javascript!"
+    end
+
+    test "Unregistered mimes are ignored" do
       get "/content_negotiation/basic/all", headers: { "HTTP_ACCEPT" => "text/plain, mime/another" }
-      assert_body '[:text, "mime/another"]'
+      assert_body '[:text]'
     end
   end
 end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

20

News mentions

0

No linked articles in our index yet.