CVE-2024-26141 in rubygem-rackinfo

Summary

by MITRE • 02/29/2024

Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly large response. Responding with such large responses could lead to a denial of service issue. Vulnerable applications will use the `Rack::File` middleware or the `Rack::Utils.byte_ranges` methods (this includes Rails applications). The vulnerability is fixed in 3.0.9.1 and 2.2.8.1.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 05/28/2026

The vulnerability identified as CVE-2024-26141 affects the Rack web server interface implementation in Ruby applications, representing a significant denial of service risk that stems from improper handling of HTTP Range headers. This flaw specifically targets applications utilizing the Rack::File middleware or Rack::Utils.byte_ranges methods, which are commonly found in Ruby on Rails applications and other frameworks built on the Rack ecosystem. The vulnerability exploits a fundamental weakness in how the system processes range requests, creating a scenario where maliciously crafted Range headers can trigger unexpectedly large data responses from the server.

The technical implementation of this vulnerability resides in the byte range parsing logic within Rack's utility methods, where input validation fails to properly constrain the range parameters provided by clients. When an attacker submits a crafted Range header that specifies an excessively large range or multiple overlapping ranges, the Rack::Utils.byte_ranges method processes these inputs without adequate bounds checking, leading to the generation of response data that can grow exponentially beyond normal expectations. This behavior manifests as the server preparing and transmitting response payloads that are orders of magnitude larger than anticipated, consuming significant system resources including memory and bandwidth.

The operational impact of this vulnerability extends beyond simple resource exhaustion, as it can severely disrupt application availability and potentially impact other services running on the same infrastructure. When exploited, the vulnerability allows attackers to consume server resources rapidly, potentially causing memory allocation failures, network saturation, and overall system instability. The attack vector is particularly concerning because it requires minimal privileged access and can be executed through standard HTTP requests, making it accessible to attackers with basic network connectivity. Organizations running affected versions of Rack applications face a direct risk of service disruption, particularly those with limited resource constraints or applications that handle high volumes of concurrent requests.

Mitigation strategies for CVE-2024-26141 focus primarily on upgrading to the patched versions of Rack, specifically 3.0.9.1 and 2.2.8.1, which contain the necessary fixes for the byte range parsing logic. Organizations should prioritize immediate deployment of these updates across all affected applications and infrastructure components. Additionally, implementing request rate limiting and resource monitoring can provide defensive measures while awaiting upgrades, though these approaches represent temporary safeguards rather than permanent solutions. The vulnerability aligns with CWE-129, which addresses improper validation of length parameters, and maps to ATT&CK technique T1499.004 for network denial of service attacks. Security teams should also consider implementing network-level controls to monitor and restrict unusual range header patterns, particularly in environments where immediate patching is not feasible.

Responsible

GitHub, Inc.

Reservation

02/14/2024

Disclosure

02/29/2024

Moderation

accepted

CPE

ready

EPSS

0.01612

KEV

no

Activities

very low

Sources

Do you know our Splunk app?

Download it now for free!