CVE-2021-22904
Description
The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A denial of service vulnerability in Action Pack's Token Authentication due to a permissive regex allows attackers to cause excessive resource consumption.
Vulnerability
The actionpack Ruby gem before versions 6.1.3.2, 6.0.3.7, 5.2.4.6, and 5.2.6 contains a denial of service vulnerability in the Token Authentication logic of Action Controller. The issue stems from a too permissive regular expression used to parse HTTP Authorization headers when the application uses authenticate_or_request_with_http_token or authenticate_with_http_token for request authentication. All versions starting from 4.0.0 are affected [1][4].
Exploitation
An attacker can exploit this vulnerability by sending a specially crafted HTTP request with a malformed Authorization header containing a token that triggers catastrophic backtracking in the regular expression. No authentication is required, and the attacker only needs network access to the target application. The malicious header causes the regex engine to consume excessive CPU time, leading to a denial of service [4].
Impact
Successful exploitation results in a denial of service condition, where the affected server becomes unresponsive or significantly degraded due to high CPU usage. This can impact availability for legitimate users. The vulnerability does not lead to information disclosure, privilege escalation, or remote code execution [1][4].
Mitigation
Users should upgrade to the fixed versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, or 5.2.6. For those unable to upgrade immediately, a monkey patch workaround is available: add module ActionController::HttpAuthentication::Token; AUTHN_PAIR_DELIMITERS = /(?:,|;|\t)/; end to an initializer. Patches for the supported release series (5.2, 6.0, 6.1) are provided in the official advisory [4]. Users of unsupported releases (before 4.0.0 or between 4.0.0 and 5.2) are advised to upgrade as soon as possible [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
actionpackRubyGems | >= 6.0.0, < 6.0.3.7 | 6.0.3.7 |
actionpackRubyGems | >= 6.1.0, < 6.1.3.2 | 6.1.3.2 |
actionpackRubyGems | >= 5.2.5, < 5.2.6 | 5.2.6 |
actionpackRubyGems | >= 4.0.0, < 5.2.4.6 | 5.2.4.6 |
Affected products
17- actionpack/actionpack ruby gemdescription
- ghsa-coords16 versionspkg:gem/actionpackpkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-actionpack-5_1&distro=openSUSE%20Leap%2015.4pkg:rpm/opensuse/rubygem-actionpack-6.0&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-activesupport-5_1&distro=openSUSE%20Leap%2015.3pkg:rpm/opensuse/rubygem-activesupport-5_1&distro=openSUSE%20Leap%2015.4pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-actionpack-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP1pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP2pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-activesupport-5_1&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4
>= 6.0.0, < 6.0.3.7+ 15 more
- (no CPE)range: >= 6.0.0, < 6.0.3.7
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 6.0.4.4-1.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.12.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
- (no CPE)range: < 5.1.4-150000.3.6.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
12- github.com/advisories/GHSA-7wjx-3g7j-8584ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-22904ghsaADVISORY
- discuss.rubyonrails.org/t/cve-2021-22904-possible-dos-vulnerability-in-action-controller-token-authentication/77869ghsax_refsource_MISCWEB
- github.com/rails/rails/releases/tag/v5.2.4.6ghsaWEB
- github.com/rails/rails/releases/tag/v5.2.6ghsaWEB
- github.com/rails/rails/releases/tag/v6.0.3.7ghsaWEB
- github.com/rails/rails/releases/tag/v6.1.3.2ghsaWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2021-22904.ymlghsaWEB
- groups.google.com/g/rubyonrails-security/c/Pf1TjkOBdyQghsaWEB
- hackerone.com/reports/1101125ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20210805-0009ghsaWEB
- security.netapp.com/advisory/ntap-20210805-0009/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.