CVE-2024-25126 Overview
CVE-2024-25126 is a denial of service vulnerability in Rack, the modular Ruby web server interface used by Rails and other Ruby web frameworks. The flaw resides in Rack's media type parser, which processes the Content-Type HTTP header. Carefully crafted header values trigger a second-degree polynomial regular expression denial of service (ReDoS), forcing the parser to consume significantly more CPU time than expected. Remote attackers can submit specially formed requests to exhaust server resources without authentication. The vulnerability is patched in Rack 3.0.9.1 and 2.2.8.1, and tracked under [CWE-1333] (Inefficient Regular Expression Complexity).
Critical Impact
Unauthenticated remote attackers can degrade or halt Rack-based Ruby web applications by sending malformed Content-Type headers that trigger excessive CPU consumption.
Affected Products
- Rack versions prior to 2.2.8.1 (2.x branch)
- Rack versions prior to 3.0.9.1 (3.x branch)
- Debian Linux 10 (with vulnerable Rack packages)
Discovery Timeline
- 2024-02-29 - CVE-2024-25126 published to NVD
- 2025-02-14 - Last updated in NVD database
Technical Details for CVE-2024-25126
Vulnerability Analysis
The vulnerability stems from Rack's MediaType parsing logic, which uses a regular expression to split and normalize the Content-Type HTTP header. The regex exhibits second-degree polynomial complexity when processing pathological input. As input length grows, parsing time grows quadratically, allowing modest payload sizes to consume disproportionate CPU resources. Because Rack sits beneath frameworks such as Ruby on Rails, the parser is reached on virtually every inbound HTTP request that includes a Content-Type header. No authentication is required to trigger the condition, and the network attack vector means any internet-facing Rack application is reachable.
Root Cause
The root cause is an inefficient regular expression used to parse media type parameters in the Content-Type header. The pattern backtracks excessively on crafted inputs containing repeated structural characters. This pattern of inefficient regex design is classified under [CWE-1333]. The upstream fix, applied in commits 6efb2ce and d9c163a, rewrites the parsing logic to eliminate the quadratic behavior.
Attack Vector
An attacker sends HTTP requests containing a specially crafted Content-Type header to any endpoint served by a vulnerable Rack version. Each request causes the Rack media type parser to spend extended CPU time before request handling completes. Repeated requests, or a sustained stream from multiple sources, exhaust worker processes and threads. The result is service degradation or full denial of service for legitimate users. See the GitHub Security Advisory GHSA-22f2-v57c-j9cx for additional technical context.
No verified public proof-of-concept code is available. The vulnerability manifests when malformed media type strings are passed to Rack's header parser; refer to the RubySec advisory entry for the canonical technical description.
Detection Methods for CVE-2024-25126
Indicators of Compromise
- HTTP requests containing unusually long or structurally repetitive Content-Type header values (for example, repeated delimiter characters such as ; or ,).
- Sudden, sustained CPU saturation in Ruby application worker processes (puma, unicorn, passenger) without a corresponding rise in request throughput.
- Increased request latency and HTTP 502 or 504 responses from upstream load balancers fronting Rack applications.
Detection Strategies
- Inventory deployed Ruby applications and identify Rack gem versions using bundle list rack or gem list rack to flag versions older than 2.2.8.1 or 3.0.9.1.
- Enable web application firewall (WAF) inspection of the Content-Type header and alert on values exceeding a reasonable length threshold (for example, 256 bytes) or containing repeated separator characters.
- Correlate spikes in Ruby process CPU utilization with inbound request patterns in application logs to surface ReDoS-style abuse.
Monitoring Recommendations
- Monitor per-request processing time and flag long-tail outliers on endpoints that accept arbitrary Content-Type values.
- Track Rack and gem dependency versions through software composition analysis (SCA) to detect regressions to vulnerable releases.
- Alert on repeated requests from the same source that produce abnormal CPU cost per request.
How to Mitigate CVE-2024-25126
Immediate Actions Required
- Upgrade Rack to 2.2.8.1 for 2.x deployments or 3.0.9.1 for 3.x deployments, then redeploy affected applications.
- Apply distribution updates for Debian as described in the Debian LTS Announcement.
- Review NetApp environments using the NetApp Security Advisory ntap-20240510-0005 for product-specific guidance.
Patch Information
The Rack maintainers patched the vulnerability in releases 2.2.8.1 and 3.0.9.1. The fixes are implemented in commits 6efb2ceea003c4b195815a614e00438cbd543462 and d9c163a443b8cadf4711d84bd2c58cb9ef89cf49. Refer to the Ruby on Rails discussion thread for downstream guidance.
Workarounds
- Deploy a WAF or reverse proxy rule that rejects requests with Content-Type headers exceeding a strict length limit before they reach the Rack application.
- Enforce per-request timeouts in the application server (for example, worker_timeout in Puma) to bound CPU time spent on any single request.
- Apply rate limiting at the edge to constrain the request volume an individual client can submit while patching is in progress.
# Upgrade Rack to a patched version
bundle update rack --conservative
# Verify the installed version is 2.2.8.1 or 3.0.9.1 (or later)
bundle list rack
# For Debian-based systems, apply package updates
sudo apt-get update && sudo apt-get install --only-upgrade ruby-rack
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
