Moderate severityNVD Advisory· Published Jul 2, 2024· Updated Aug 2, 2024

Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

CVE-2024-39316

Description

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the Rack::Request::Helpers module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted Accept-Encoding or Accept-Language headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5. Users of versions on the 3.1 branch should upgrade to version 3.1.5 to receive the fix.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rackRubyGems	>= 3.1.0, < 3.1.5	3.1.5

Affected products

Rack/Rackv5
Range: >= 3.1.0, < 3.1.5

Patches

3620bb1d140d

https://github.com/rack/rackvia osv

412c980450ca

Merge pull request from GHSA-cj83-2ww7-mvq7

https://github.com/rack/rackDwi SiswantoJul 2, 2024via ghsa

commit

1 file changed · +4 −2

lib/rack/request.rb+4 −2 modified

@@ -642,8 +642,10 @@ def wrap_ipv6(host)
       end
 
       def parse_http_accept_header(header)
-        header.to_s.split(/\s*,\s*/).map do |part|
-          attribute, parameters = part.split(/\s*;\s*/, 2)
+        header.to_s.split(',').map do |part|
+          attribute, parameters = part.split(';', 2)
+          attribute.strip!
+          parameters&.strip!
           quality = 1.0
           if parameters and /\Aq=([\d.]+)/ =~ parameters
             quality = $1.to_f

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-cj83-2ww7-mvq7ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-39316ghsaADVISORY
advisory.dw1.io/61ghsaWEB
github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058ghsax_refsource_MISCWEB
github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8fghsax_refsource_MISCWEB
github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7ghsax_refsource_CONFIRMWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.ymlghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000