CVE-2024-47889: 
Ruby vulnerability analysis and mitigation

Action Mailer, a framework for designing email service layers, contains a ReDoS (Regular Expression Denial of Service) vulnerability in its blockformat helper. The vulnerability affects versions starting from 3.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1. This security issue was discovered by yukiosaki and scyoon and was assigned CVE-2024-47889 (GitHub Advisory).

The vulnerability exists in the block_format helper of Action Mailer, where carefully crafted text can cause the helper to take an unexpected amount of time to process. The issue is related to potential backtracking in regular expression processing. The vulnerability has been assigned a CVSS 4.0 score of 6.6 (Medium) with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

When exploited, this vulnerability can result in a Denial of Service (DoS) condition by causing the block_format helper to consume excessive processing time. The impact is particularly concerning for applications that process email content using the affected helper function (GitHub Advisory).

Users are advised to upgrade to the patched versions: 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1. Alternatively, users can implement one of two workarounds: either avoid calling the block_format helper or upgrade to Ruby 3.2, which includes built-in mitigations for this issue. Applications running on Ruby 3.2 or newer are unaffected by this vulnerability. Additionally, Rails 8.0.0.beta1 is unaffected as it requires Ruby 3.2 or greater (GitHub Advisory).