CVE-2024-41128: 
Ruby vulnerability analysis and mitigation

Action Pack, a framework for handling and responding to web requests, contains a ReDoS (Regular Expression Denial of Service) vulnerability (CVE-2024-41128) in its query parameter filtering routines. The vulnerability affects versions starting from 3.1.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1. This security issue was discovered and reported by scyoon through the HackerOne platform (GitHub Advisory).

The vulnerability exists in the query parameter filtering routines of Action Dispatch, where carefully crafted query parameters can trigger excessive processing time in the regular expression matching process. The issue has been assigned a CVSS 4.0 score of 6.6 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U. The vulnerability is classified under CWE-770 (Allocation of Resources Without Limits or Throttling) (NVD).

When exploited, this vulnerability can cause query parameter filtering to take an unexpected amount of time, potentially resulting in a denial of service condition. This could affect the availability of web applications built with the affected versions of Rails (Red Hat Bugzilla).

Users are advised to upgrade to the patched versions: 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1. As a workaround, applications running on Ruby 3.2 or newer are unaffected by this vulnerability due to built-in mitigations. Additionally, Rails 8.0.0.beta1 is unaffected as it depends on Ruby 3.2 or greater (GitHub Advisory).