CVE-2022-23837 in Sidekiq
Summary
by MITRE • 01/22/2022
In api.rb in Sidekiq before 6.4.0, there is no limit on the number of days when requesting stats for the graph. This overloads the system, affecting the Web UI, and makes it unavailable to users.
Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.
Analysis
by VulDB Data Team • 03/13/2026
The vulnerability identified as CVE-2022-23837 resides within the Sidekiq gem's api.rb file and affects versions prior to 6.4.0. This represents a critical denial of service weakness that stems from inadequate input validation and parameter sanitization. The flaw specifically manifests when users request statistical data through the web interface, where the system fails to impose any constraints on the number of days parameter that can be specified for graph generation. This absence of rate limiting or input restriction creates an exploitable condition that allows malicious actors to overwhelm system resources through crafted requests.
The technical implementation of this vulnerability involves the lack of bounds checking on user-supplied parameters within the statistics endpoint. When an attacker submits a request with an excessive number of days, typically in the range of thousands or millions, the system attempts to process and render an impossibly large dataset. This leads to memory exhaustion, CPU overutilization, and ultimately system instability that renders the entire web interface inaccessible to legitimate users. The vulnerability operates at the application layer and can be exploited remotely without authentication requirements, making it particularly dangerous in production environments where Sidekiq is exposed to external networks.
From an operational impact perspective, this vulnerability directly violates the availability principle of the CIA triad and can result in complete service disruption for Sidekiq administrators and users. The resource exhaustion occurs because the system attempts to generate and display graphical representations of performance data across an unbounded time range, causing memory allocation failures and process timeouts. Network monitoring tools often detect this behavior as abnormal resource consumption patterns, and the affected system becomes unresponsive to legitimate requests. The impact extends beyond simple unavailability as it can affect other processes running on the same server and potentially cause cascading failures in dependent systems.
The vulnerability aligns with CWE-770, which describes the allocation of resources without limits or throttling, and can be categorized under ATT&CK technique T1499.1 for resource exhaustion. Organizations using Sidekiq in production environments face significant risk when operating vulnerable versions, as the attack surface includes any user with access to the web interface. The exploit requires minimal technical skill and can be automated, making it attractive to threat actors seeking to disrupt services. Mitigation strategies include upgrading to Sidekiq version 6.4.0 or later, implementing request rate limiting on the web interface, and configuring appropriate parameter validation for time-based queries. Additionally, organizations should consider implementing network-level controls to restrict access to the Sidekiq web UI and establish monitoring for unusual resource consumption patterns that could indicate exploitation attempts.