CVE-2015-4411: 
Ruby vulnerability analysis and mitigation

The Moped::BSON::ObjecId.legal? method in mongodb/bson-ruby before 3.0.4 as used in rubygem-moped contains a vulnerability that allows remote attackers to cause a denial of service through worker resource consumption via a crafted string. This vulnerability (CVE-2015-4411) was discovered as an incomplete fix to CVE-2015-4410 and was disclosed in June 2015 (OSS Security).

The vulnerability stems from the improper implementation of regular expressions in the legal? method. The issue arose when the method began using the \A\h{24}\Z regular expression pattern, which was problematic because it allowed a trailing newline character. This implementation would cause Moped to incorrectly process ObjectId validation, leading to resource consumption issues (Sakurity Blog).

When exploited, this vulnerability causes Moped to think MongoDB is down, resulting in 40 repeated connection attempts with intervals. This keeps a worker busy for approximately 5 seconds and generates multiple unnecessary requests to MongoDB, effectively creating a denial of service condition (Sakurity Blog).

The vulnerability was fixed in mongodb/bson-ruby version 3.0.4 by modifying the regular expression pattern to use \A\h{24}\z instead of \A\h{24}\Z. Users should upgrade to this version or later to address the vulnerability (Github Commit).