Low severityNVD Advisory· Published Feb 27, 2024· Updated Feb 13, 2025

Rails possible ReDoS vulnerability in Accept header parsing in Action Dispatch

CVE-2024-26142

Description

Rails is a web-application framework. Starting in version 7.1.0, there is a possible ReDoS vulnerability in the Accept header parsing routines of Action Dispatch. This vulnerability is patched in 7.1.3.1. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
actionpackRubyGems	>= 7.1.0, < 7.1.3.1	7.1.3.1

Affected products

Rails/Railsv5
Range: >= 7.1.0, < 7.1.3.1

Patches

b4d3bfb5ed8a

Fix ReDoS in accept header scanning

https://github.com/rails/railsAaron PattersonFeb 20, 2024via ghsa

commit

2 files changed · +6 −2

actionpack/CHANGELOG.md+4 −0 modified

@@ -1,3 +1,7 @@
+*   Fix ReDoS in Accept header parsing
+
+    CVE-2024-26142
+
 ## Rails 7.1.3 (January 16, 2024) ##
 
 *   Fix including `Rails.application.routes.url_helpers` directly in an

actionpack/lib/action_dispatch/http/mime_type.rb+2 −2 modified

@@ -154,7 +154,7 @@ class << self
       TRAILING_STAR_REGEXP = /^(text|application)\/\*/
       # all media-type parameters need to be before the q-parameter
       # https://www.rfc-editor.org/rfc/rfc7231#section-5.3.2
-      PARAMETER_SEPARATOR_REGEXP = /\s*;\s*q="?/
+      PARAMETER_SEPARATOR_REGEXP = /;\s*q="?/
       ACCEPT_HEADER_REGEXP = /[^,\s"](?:[^,"]|"[^"]*")*/
 
       def register_callback(&block)
@@ -193,7 +193,7 @@ def register(string, symbol, mime_type_synonyms = [], extension_synonyms = [], s
       def parse(accept_header)
         if !accept_header.include?(",")
           if (index = accept_header.index(PARAMETER_SEPARATOR_REGEXP))
-            accept_header = accept_header[0, index]
+            accept_header = accept_header[0, index].strip
           end
           return [] if accept_header.blank?
           parse_trailing_star(accept_header) || Array(Mime::Type.lookup(accept_header))

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-jjhx-jhvp-74wqghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-26142ghsaADVISORY
discuss.rubyonrails.org/t/possible-redos-vulnerability-in-accept-header-parsing-in-action-dispatch/84946ghsax_refsource_MISCWEB
github.com/rails/rails/commit/b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272ghsax_refsource_MISCWEB
github.com/rails/rails/security/advisories/GHSA-jjhx-jhvp-74wqghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/actionpack/CVE-2024-26142.ymlghsax_refsource_MISCWEB
security.netapp.com/advisory/ntap-20240503-0003/mitre

News mentions

No linked articles in our index yet.

cvss	0.065
epss	0.003
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000