CVE-2024-0241: 
Ruby vulnerability analysis and mitigation

CVE-2024-0241 affects encoded_id-rails versions before 1.0.0.beta2, exposing an uncontrolled resource consumption vulnerability. The vulnerability was discovered in October 2023 and allows a remote and unauthenticated attacker to cause a denial of service condition by sending an HTTP request with an extremely long "id" parameter (NVD, GitHub Advisory).

The vulnerability stems from insufficient validation of encoded ID lengths in HTTP requests. Due to the performance characteristics of the hashids implementation, processing extremely long encoded IDs consumes significant CPU resources and can allocate over 200MB of intermediate objects. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility, low attack complexity, and no required privileges or user interaction (GitHub Advisory).

When exploited, this vulnerability can lead to a denial of service condition by consuming excessive server resources. The processing of maliciously crafted long IDs can cause significant CPU utilization and memory allocation, potentially affecting the availability of the application (GitHub Advisory).

The vulnerability has been patched in version 1.0.0.beta2, which introduces a new option to limit the length of IDs that can be decoded. Users are advised to upgrade to this version or later. Future releases will also improve performance and significantly reduce allocations in the underlying hashids implementation (GitHub Advisory, GitHub Commit).