High severityNVD Advisory· Published Jan 21, 2022· Updated Aug 3, 2024

CVE-2022-23837

Description

In api.rb in Sidekiq before 5.2.10 and 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sidekiq before 5.2.10 and 6.4.0 allows unauthenticated denial of service via the Web UI stats graph by requesting an arbitrarily large number of days.

Vulnerability

In Sidekiq versions before 5.2.10 and all 6.x versions before 6.4.0, the History class in api.rb does not validate the days parameter when retrieving stats for the graph [1]. The parameter is passed directly from the Web UI as an integer without any upper bound, allowing a request to specify a very large number of days (e.g., 1,000,000) [4]. This causes the system to attempt to load or compute statistics for an excessive time range, overloading Redis and the Sidekiq process.

Exploitation

An attacker can send a crafted HTTP GET request to the Sidekiq Web UI endpoint that triggers the stats history, supplying a large days query parameter (e.g., ?days=1000000) [4]. No authentication is required if the Web UI is exposed, and no special privileges or user interaction is needed [3]. The attack is simple to execute with a single request.

Impact

Successful exploitation causes the Sidekiq process to consume excessive resources (CPU and memory) while generating the stats response, leading to a denial of service (DoS) condition [1]. The Web UI becomes unresponsive, making the monitoring dashboard unavailable to legitimate administrators. This can disrupt operations that depend on the Sidekiq interface for job monitoring and management.

Mitigation

The vulnerability is fixed in Sidekiq versions 5.2.10 and 6.4.0 [1][2]. The fix adds input validation on the days parameter: the History constructor raises an ArgumentError if days_previous is less than 1 or greater than 5*365, and the Web UI route returns HTTP 401 for invalid values [4]. Users should upgrade to at least 5.2.10 or 6.4.0 immediately. Workarounds include restricting network access to the Sidekiq Web UI (e.g., using firewall rules, basic authentication, or not exposing it publicly) [3].

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sidekiqRubyGems	>= 6.0.0, < 6.4.0	6.4.0
sidekiqRubyGems	< 5.2.10	5.2.10

Affected products

Sidekiq/Sidekiqdescription
ghsa-coords
pkg:gem/sidekiq
Range: >= 6.0.0, < 6.4.0

Patches

7785ac1399f1

Validate `days` parameter to avoid possible DoS in Web UI

https://github.com/mperham/sidekiqMike PerhamJan 20, 2022via ghsa

commit

4 files changed · +17 −2

lib/sidekiq/api.rb+2 −0 modified

@@ -161,6 +161,8 @@ def lengths
 
     class History
       def initialize(days_previous, start_date = nil)
+        # we only store five years of data in Redis
+        raise ArgumentError if days_previous < 1 || days_previous > (5 * 365)
         @days_previous = days_previous
         @start_date = start_date || Time.now.utc.to_date
       end

lib/sidekiq/web/application.rb+4 −1 modified

@@ -50,7 +50,10 @@ def self.set(key, val)
 
     get "/" do
       @redis_info = redis_info.select { |k, v| REDIS_KEYS.include? k }
-      stats_history = Sidekiq::Stats::History.new((params["days"] || 30).to_i)
+      days = (params["days"] || 30).to_i
+      return halt(401) if days < 1 || days > 180
+
+      stats_history = Sidekiq::Stats::History.new(days)
       @processed_history = stats_history.processed
       @failed_history = stats_history.failed

test/test_api.rb+9 −0 modified

@@ -156,6 +156,15 @@
         Time::DATE_FORMATS[:default] = @before
       end
 
+      describe "history" do
+        it "does not allow invalid input" do
+          assert_raises(ArgumentError) { Sidekiq::Stats::History.new(-1) }
+          assert_raises(ArgumentError) { Sidekiq::Stats::History.new(0) }
+          assert_raises(ArgumentError) { Sidekiq::Stats::History.new(2000) }
+          assert Sidekiq::Stats::History.new(200)
+        end
+      end
+
       describe "processed" do
         it 'retrieves hash of dates' do
           Sidekiq.redis do |c|

test/test_web.rb+2 −1 modified

@@ -748,8 +748,9 @@ def app
       basic_authorize 'a', 'b'
 
       get '/'
-
       assert_equal 200, last_response.status
+      get '/?days=1000000'
+      assert_equal 401, last_response.status
     end
   end

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jrfj-98qg-qjgvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2022-23837ghsaADVISORY
github.com/TUTUMSPACE/exploits/blob/main/sidekiq.mdghsaWEB
github.com/mperham/sidekiq/commit/7785ac1399f1b28992adb56055f6acd88fd1d956ghsaWEB
github.com/rubysec/ruby-advisory-db/pull/495ghsaWEB
lists.debian.org/debian-lts-announce/2022/03/msg00015.htmlghsamailing-listWEB
lists.debian.org/debian-lts-announce/2023/03/msg00011.htmlmitremailing-list

News mentions

No linked articles in our index yet.

cvss	0.455
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000