CVE-2021-22902
Description
The actionpack ruby gem (a framework for handling and responding to web requests in Rails) before 6.0.3.7, 6.1.3.2 suffers from a possible denial of service vulnerability in the Mime type parser of Action Dispatch. Carefully crafted Accept headers can cause the mime type parser in Action Dispatch to do catastrophic backtracking in the regular expression engine.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Action Dispatch's MIME parser in actionpack before 6.0.3.7,6.1.3.2 is vulnerable to ReDoS via crafted Accept headers causing catastrophic backtracking.
Vulnerability
The actionpack Ruby gem, used for handling and responding to web requests in Rails, contains a denial of service vulnerability in the MIME type parser of Action Dispatch. Versions 6.0.0 up to (but not including) 6.0.3.7, and 6.1.0 up to (but not including) 6.1.3.2 are affected; versions prior to 6.0.0 are not affected [1][3]. The bug resides in the regular expression used to parse HTTP Accept headers, where carefully crafted input triggers catastrophic backtracking in the regex engine [3][4].
Exploitation
An attacker needs only network access to send HTTP requests to an affected Rails application. No authentication or other privileges are required. By crafting a malicious Accept header that exploits the backtracking behavior of the MIME parser’s regular expression, the attacker can cause the regex engine to consume excessive CPU time, potentially stalling request processing [3][4].
Impact
Successful exploitation results in a denial of service (DoS) condition: the application may become unresponsive due to CPU exhaustion, degrading or denying service to legitimate users. No data integrity or confidentiality is directly compromised, and no code execution is achieved [1][3]. The impact is limited to application availability.
Mitigation
Fixed versions are 6.0.3.7 and 6.1.3.2, released on 2021-06-11 and available via the normal Rails distribution channels [2][3][4]. For users unable to upgrade immediately, a monkey patch initializer is provided that modifies the MIME regex to avoid catastrophic backtracking [3][4]. The patch is also available in git-am format for the 6.0 and 6.1 release series. Only the 6.1.Z, 6.0.Z, and 5.2.Z series are currently supported; users of earlier unsupported releases should upgrade promptly [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.0.0, < 6.0.3.7 | 6.0.3.7 |
actionpackRubyGems | >= 6.1.0, < 6.1.3.2 | 6.1.3.2 |
Affected products
3- actionpack/actionpack ruby gemdescription
- ghsa-coords2 versions
>= 6.0.0, < 6.0.3.7+ 1 more
- (no CPE)range: >= 6.0.0, < 6.0.3.7
- (no CPE)range: < 6.0.4.4-1.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
8- github.com/advisories/GHSA-g8ww-46x2-2p65ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22902ghsaADVISORY
- discuss.rubyonrails.org/t/cve-2021-22902-possible-denial-of-service-vulnerability-in-action-dispatch/77866ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v6.0.3.7ghsaWEB
- github.com/rails/rails/releases/tag/v6.1.3.2ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22902.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/_5ID_ld9u1cghsaWEB
- hackerone.com/reports/1138654ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.