How ZeroPath Works
Back to Blog

Rails ReDoS: CVE-2024-26142 and the Accept Header Parsing Flaw

A critical flaw in Rails 7.1.x's Accept header parsing exposes applications to ReDoS attacks. We break down the technical root cause, affected versions, and the official patch that neutralizes this threat.
CVE Analysis

8 min read

ZeroPath Security Research

ZeroPath Security Research

2025-07-17

Rails ReDoS: CVE-2024-26142 and the Accept Header Parsing Flaw

Rails ReDoS: CVE-2024-26142 and the Accept Header Parsing Flaw

When a single HTTP header can freeze your Rails app, the stakes are high. CVE-2024-26142 exposes a subtle but severe flaw in Rails 7.1.x: attackers can craft Accept headers that tie up server CPU, leading to denial of service. This vulnerability, rooted in Action Dispatch's header parsing, is a textbook example of how regular expression complexity can become a real-world threat.

Technical Information

Vulnerability Mechanism:

CVE-2024-26142 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Accept header parsing logic of Action Dispatch, introduced in Rails 7.1.0. The core of the issue lies in the parse_media_range method within the actionpack gem. Here, a regular expression with nested quantifiers is used to parse media types from the Accept header. Under normal conditions, this regex efficiently parses typical headers such as:

Accept: text/html,application/xhtml+xml

However, when an attacker sends a carefully crafted Accept header containing repetitive patterns and ambiguous quantifiers, the regex engine enters catastrophic backtracking. For example, a header like:

Accept: aaaaaaaaaaaaaaaaaaaaaaaa!

can cause the parser to consume excessive CPU cycles, effectively hanging the application thread.

Vulnerable Pattern (conceptual):

/^([^,\s]+,?)*\s*;.*$/

This pattern is susceptible because the outer * and inner + quantifiers can overlap, creating exponential matching paths when faced with malicious input.

Attack Vector:

  • The attacker sends an HTTP request with a malicious Accept header to any Rails endpoint.
  • The vulnerable regex in Action Dispatch attempts to parse the header.
  • Catastrophic backtracking occurs, tying up server resources and potentially leading to a denial of service.

Root Cause:

  • Inefficient regular expression with nested quantifiers in Accept header parsing.
  • Lack of input validation or limits on header complexity.

Affected Configurations:

  • Rails applications running 7.1.0 through 7.1.3.0
  • Ruby versions prior to 3.2 (Ruby 3.2+ includes regex engine improvements that mitigate this attack)

Patch Details: The Rails team replaced the problematic regex with a more efficient parsing approach, using atomic groups and stricter quantifier boundaries. The fix is implemented in Rails 7.1.3.1 and is also available as a standalone patch.

Patch Information

To address the ReDoS vulnerability in the Accept header parsing of Action Dispatch, the Rails team released version 7.1.3.1, which includes a critical patch. This patch modifies the regular expression used to parse the Accept header, enhancing its efficiency and preventing potential denial-of-service attacks.

The core of the fix involves updating the parse_media_range method within the actionpack gem. The original implementation utilized a regular expression that was susceptible to excessive backtracking when processing maliciously crafted Accept headers. The revised implementation replaces this with a more efficient parsing approach, reducing the risk of ReDoS attacks.

The specific changes can be reviewed in the commit b4d3bfb5ed8a5b5a90aad3a3b28860c7a931e272 on the Rails GitHub repository. This commit provides a detailed view of the modifications made to the codebase to mitigate the vulnerability.

For users who are unable to upgrade to version 7.1.3.1 immediately, the Rails team has provided a patch file named 7-1-accept-redos.patch. This patch can be applied to existing installations to address the vulnerability without a full version upgrade. The patch is available in the security announcement on the Ruby on Rails Discussions forum.

It's important to note that applications running on Ruby 3.2 or newer are not affected by this vulnerability due to inherent mitigations in the Ruby language itself. Therefore, upgrading to Ruby 3.2 or later can also serve as a preventive measure against this and similar vulnerabilities.

Affected Systems and Versions

  • Rails versions 7.1.0 through 7.1.3.0 are vulnerable.
  • Rails 7.1.3.1 and later are patched.
  • Ruby versions prior to 3.2 are affected when used with vulnerable Rails versions.
  • Ruby 3.2 and newer are not affected, even with vulnerable Rails versions, due to regex engine improvements.
  • All configurations that parse Accept headers via Action Dispatch in the affected version range are at risk.

Vendor Security History

Ruby on Rails has a strong record of prompt security response. The core team typically releases patches for critical vulnerabilities within 24-48 hours of disclosure. Past issues, including previous ReDoS and header parsing vulnerabilities, have been addressed rapidly and transparently. The Rails project maintains a dedicated security mailing list and a public vulnerability disclosure process. This incident is consistent with their established pattern of responsible vulnerability management.

References

Source: This report was created using AI

If you have suggestions for improvement or feedback, please reach out to us at [email protected]

Detect & fix
what others miss

Get startedBook a demo