The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2021-22904

CVE-2021-22904: Ruby on Rails ActionPack DoS Vulnerability

CVE-2021-22904 is a denial of service vulnerability in Ruby on Rails ActionPack caused by a permissive regex in Token Authentication logic. This article covers the technical details, affected versions, and mitigation strategies.

Published: February 25, 2026

CVE-2021-22904 Overview

A denial of service vulnerability exists in the Token Authentication logic within Action Controller, a core component of the Ruby on Rails framework. The vulnerability stems from a too permissive regular expression used during HTTP token authentication processing. Applications using authenticate_or_request_with_http_token or authenticate_with_http_token methods for request authentication are vulnerable to this attack.

Critical Impact

Attackers can craft malicious HTTP authentication tokens that trigger catastrophic backtracking in the permissive regular expression, causing severe CPU exhaustion and rendering the affected Rails application unresponsive.

Affected Products

  • Ruby on Rails (actionpack gem) versions before 6.1.3.2
  • Ruby on Rails (actionpack gem) versions before 6.0.3.7
  • Ruby on Rails (actionpack gem) versions 5.2.x before 5.2.4.6 and 5.2.6

Discovery Timeline

  • 2021-06-11 - CVE-2021-22904 published to NVD
  • 2024-11-21 - Last updated in NVD database

Technical Details for CVE-2021-22904

Vulnerability Analysis

This vulnerability is classified as a Regular Expression Denial of Service (ReDoS) attack, a specific form of algorithmic complexity attack (CWE-400: Uncontrolled Resource Consumption). The flaw resides in the token authentication mechanism within Action Controller, where a poorly crafted regular expression is used to parse HTTP Authorization headers containing token credentials.

When processing authentication tokens, the vulnerable code employs a regular expression pattern that exhibits exponential time complexity when matched against specially crafted input strings. This creates a scenario where an attacker can submit malicious tokens that cause the regex engine to enter a state of catastrophic backtracking, consuming excessive CPU cycles while attempting to match the pattern.

The vulnerability affects Rails applications that implement HTTP token-based authentication using the built-in authenticate_or_request_with_http_token or authenticate_with_http_token helper methods. These methods are commonly used to secure API endpoints and service-to-service communications.

Root Cause

The root cause is a too permissive regular expression pattern in the Action Controller token authentication logic. The regex lacks proper bounds and contains nested quantifiers that allow for exponential backtracking behavior. When the regex engine encounters input that can be partially matched in multiple ways, it attempts all possible combinations before failing, leading to severe performance degradation.

Attack Vector

The attack is network-accessible and requires no authentication or user interaction. An attacker can exploit this vulnerability by sending HTTP requests with malformed Authorization headers containing specially crafted token values. The crafted tokens are designed to trigger worst-case regex matching behavior.

The attack typically involves tokens containing repetitive character sequences that match multiple subpatterns within the permissive regex, forcing the engine into exponential backtracking. Since this occurs during the authentication phase, the attack can be executed before any application-level authentication checks take place.

Detection Methods for CVE-2021-22904

Indicators of Compromise

  • Unusual spikes in CPU utilization on web application servers without corresponding increases in legitimate traffic
  • HTTP requests with abnormally long or malformed Authorization headers containing repetitive character patterns
  • Application response times degrading significantly during periods of seemingly normal request volumes
  • Web server worker processes becoming unresponsive or timing out frequently

Detection Strategies

  • Monitor for HTTP requests with Authorization headers exceeding normal length thresholds (e.g., >500 characters)
  • Implement request timeout monitoring to detect regex processing delays in authentication middleware
  • Deploy Web Application Firewall (WAF) rules to inspect and filter suspicious Authorization header patterns
  • Enable Rails application logging to capture authentication method invocation times

Monitoring Recommendations

  • Set up alerting for sustained CPU usage spikes across Rails application workers
  • Monitor request queue depth and worker availability metrics
  • Track authentication endpoint response latencies as key performance indicators
  • Review server logs for patterns of requests with unusual Authorization header content

How to Mitigate CVE-2021-22904

Immediate Actions Required

  • Upgrade the actionpack gem to patched versions: 6.1.3.2, 6.0.3.7, 5.2.4.6, or 5.2.6 immediately
  • Identify all Rails applications using authenticate_or_request_with_http_token or authenticate_with_http_token methods
  • Implement request rate limiting at the load balancer or reverse proxy level to reduce DoS impact
  • Consider deploying a WAF with rules to filter malformed Authorization headers while patches are applied

Patch Information

Ruby on Rails has released patched versions addressing this vulnerability. Organizations should upgrade to the following versions:

  • Rails 6.1.x: Upgrade to 6.1.3.2 or later
  • Rails 6.0.x: Upgrade to 6.0.3.7 or later
  • Rails 5.2.x: Upgrade to 5.2.4.6 or 5.2.6 or later

For detailed patch information and upgrade guidance, refer to the Ruby on Rails Security Advisory.

Workarounds

  • Implement custom input validation to limit Authorization header length before it reaches the Rails authentication layer
  • Deploy a reverse proxy (nginx, HAProxy) with header size limits to reject oversized Authorization headers
  • Temporarily disable HTTP token authentication and switch to alternative authentication mechanisms if feasible
  • Apply network-level rate limiting to authentication endpoints to mitigate the impact of DoS attempts
bash
# Nginx configuration to limit Authorization header size
# Add to server or location block
large_client_header_buffers 4 8k;

# Optional: Add explicit header validation
if ($http_authorization ~* "^Token\s+.{500,}") {
    return 400;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeDOS
  • Vendor/TechRubyonrails
  • SeverityHIGH
  • CVSS Score7.5
  • EPSS Probability8.20%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-400
  • NVD-CWE-Other
  • Technical References
  • HackerOne Vulnerability Report
  • NetApp Security Advisory
  • Vendor Resources
  • Ruby on Rails Discussion
  • Related CVEs
  • CVE-2026-33169: Ruby on Rails Active Support DoS Vulnerability
  • CVE-2026-33174: Ruby on Rails Active Storage DoS Vulnerability
  • CVE-2026-33176: Ruby on Rails Active Support DoS Vulnerability
  • CVE-2022-23517: Rails HTML Sanitizers DoS Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English