Moderate severityNVD Advisory· Published Sep 14, 2023· Updated Sep 25, 2024

CVE-2023-26141

Description

Versions of the package sidekiq before 7.1.3 are vulnerable to Denial of Service (DoS) due to insufficient checks in the dashboard-charts.js file. An attacker can exploit this vulnerability by manipulating the localStorage value which will cause excessive polling requests.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Sidekiq before 7.1.3 is vulnerable to DoS via unsanitized localStorage value in dashboard-charts.js causing excessive polling requests.

Vulnerability

CVE-2023-26141 affects Sidekiq versions prior to 7.1.3. The vulnerability is a Denial of Service (DoS) due to insufficient input validation in the dashboard-charts.js file. The Web UI uses localStorage.sidekiqTimeInterval to set a polling interval, and this value is not sanitized. An attacker can set it to a very low number, such as 1 millisecond, which results in excessive polling requests to the server [1][2][3].

Exploitation

The attack is performed by manipulating the localStorage key sidekiqTimeInterval in the browser. No authentication is required if the Web UI is publicly accessible. The attacker does not need any special network position beyond being able to load the dashboard page. The code parseInt(localStorage.sidekiqTimeInterval) || 5000 directly uses the user-controlled value as the interval for setInterval [3]. This leads to a high rate of incoming HTTP requests, overwhelming the server.

Impact

Successful exploitation causes a Denial of Service, making the Sidekiq Web UI unresponsive and potentially degrading the performance of the entire Sidekiq worker process. The server can be flooded with polling requests, consuming CPU and network resources and potentially leading to service disruption for legitimate users.

Mitigation

The issue is fixed in Sidekiq version 7.1.3 [1]. Users should upgrade to this version or later. The Sidekiq maintainer acknowledged the fix in version 6.5.10 for the 6.x branch [1]. For those unable to upgrade, restricting access to the Web UI or implementing a reverse proxy to rate-limit requests can serve as a temporary workaround.

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
sidekiqRubyGems	>= 7.0.0, < 7.1.3	7.1.3
sidekiqRubyGems	< 6.5.10	6.5.10

Affected products

sidekiq/sidekiqdescription
ghsa-coords
pkg:gem/sidekiq
Range: >= 7.0.0, < 7.1.3

Patches

62c90d7c5a7d

Validate page refresh interval to ensure a minimum amount of delay

https://github.com/sidekiq/sidekiqMike PerhamSep 5, 2023via ghsa

commit

2 files changed · +4 −1

web/assets/javascripts/application.js+1 −0 modified

@@ -140,6 +140,7 @@ function checkResponse(resp) {
 
 function scheduleLivePoll() {
   let ti = parseInt(localStorage.sidekiqTimeInterval) || 5000;
+  if (ti < 2000) { ti = 2000 }
   livePollTimer = setTimeout(livePollCallback, ti);
 }

web/assets/javascripts/dashboard-charts.js+3 −1 modified

@@ -57,7 +57,9 @@ class DashboardChart extends BaseChart {
 class RealtimeChart extends DashboardChart {
   constructor(el, options) {
     super(el, options);
-    this.delay = parseInt(localStorage.sidekiqTimeInterval) || 5000;
+    let d = parseInt(localStorage.sidekiqTimeInterval) || 5000;
+    if (d < 2000) { d = 2000; }
+    this.delay = d
     this.startPolling();
     document.addEventListener("interval:update", this.handleUpdate.bind(this));
   }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000