VYPR
Get started
← All advisories
Medium severityNVD Advisory· Published Oct 16, 2024· Updated Apr 15, 2026

CVE-2024-41128

CVE-2024-41128

Description

Action Pack is a framework for handling and responding to web requests. Starting in version 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the query parameter filtering routines of Action Dispatch. Carefully crafted query parameters can cause query parameter filtering to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to version 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. One may use Ruby 3.2 as a workaround. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
actionpackRubyGems
>= 3.1.0, < 6.1.7.96.1.7.9
actionpackRubyGems
>= 7.0.0, < 7.0.8.57.0.8.5
actionpackRubyGems
>= 7.1.0, < 7.1.4.17.1.4.1
actionpackRubyGems
>= 7.2.0, < 7.2.1.17.2.1.1

Patches

8
b2fbbfbcaa3d
https://github.com/rails/railsvia osv
f61f4ef957f8
https://github.com/rails/railsvia osv
5b5f0da552f6
https://github.com/rails/railsvia osv
a1f6a13f691e
https://github.com/rails/railsvia osv
fb493bebae1a

Avoid backtracking in filtered_query_string

https://github.com/rails/railsJohn HawthornOct 11, 2024via ghsa
commit
1 file changed · +9 4
  • actionpack/lib/action_dispatch/http/filter_parameters.rb+9 4 modified
    @@ -73,12 +73,17 @@ def parameter_filter_for(filters) # :doc:
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end
27121e80f6db

Avoid backtracking in filtered_query_string

https://github.com/rails/railsJohn HawthornOct 11, 2024via ghsa
commit
2 files changed · +18 6
  • actionpack/lib/action_dispatch/http/filter_parameters.rb+9 4 modified
    @@ -68,12 +68,17 @@ def parameter_filter_for(filters) # :doc:
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end
  • actionpack/lib/action_dispatch/http/filter_redirect.rb+9 2 modified
    @@ -37,9 +37,16 @@ def location_filter_match?
       def parameter_filtered_location
         uri = URI.parse(location)
         unless uri.query.nil? || uri.query.empty?
-          uri.query.gsub!(FilterParameters::PAIR_RE) do
-            request.parameter_filter.filter($1 => $2).first.join("=")
+          parts = uri.query.split(/([&;])/)
+          filtered_parts = parts.map do |part|
+            if part.include?("=")
+              key, value = part.split("=", 2)
+              request.parameter_filter.filter(key => value).first.join("=")
+            else
+              part
+            end
           end
+          uri.query = filtered_parts.join("")
         end
         uri.to_s
       rescue URI::Error
b0fe99fa854e

Avoid backtracking in filtered_query_string

https://github.com/rails/railsJohn HawthornOct 11, 2024via ghsa
commit
1 file changed · +9 4
  • actionpack/lib/action_dispatch/http/filter_parameters.rb+9 4 modified
    @@ -64,12 +64,17 @@ def parameter_filter_for(filters) # :doc:
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end
b1241f468d1b

Avoid backtracking in filtered_query_string

https://github.com/rails/railsJohn HawthornOct 11, 2024via ghsa
commit
1 file changed · +9 4
  • actionpack/lib/action_dispatch/http/filter_parameters.rb+9 4 modified
    @@ -58,12 +58,17 @@ def parameter_filter_for(filters) # :doc:
         ActiveSupport::ParameterFilter.new(filters)
       end
 
-      KV_RE   = "[^&;=]+"
-      PAIR_RE = %r{(#{KV_RE})=(#{KV_RE})}
       def filtered_query_string # :doc:
-        query_string.gsub(PAIR_RE) do |_|
-          parameter_filter.filter($1 => $2).first.join("=")
+        parts = query_string.split(/([&;])/)
+        filtered_parts = parts.map do |part|
+          if part.include?("=")
+            key, value = part.split("=", 2)
+            parameter_filter.filter(key => value).first.join("=")
+          else
+            part
+          end
         end
+        filtered_parts.join("")
       end
     end
   end

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

10

News mentions

0

No linked articles in our index yet.