CVE-2024-0241: encoded_id-rails potential DOS vulnerability due to URIs with extremely long encoded IDs
(updated )
The length of URIs and the various parts (eg path segments, query parameters) is usually limited by the webserver processing the incoming request. In the case of Puma the defaults are :
- path segment length: 8192
- Max URI length: 1024 * 12
- Max query length: 1024 * 10
See https://github.com/puma/puma/blob/master/docs/compile_options.md
If too long Puma raises:
Puma caught this error: HTTP element REQUEST_PATH is longer than the (8192) allowed length (was 12503) (Puma::HttpParserError)
However due to the performance of hashids extremely long encoded IDs will consume a large amount of CPU and allocate a huge number of intermediate objects.
For example:
References
- github.com/advisories/GHSA-3px7-jm2p-6h2c
- github.com/rubysec/ruby-advisory-db/blob/master/gems/encoded_id-rails/CVE-2024-0241.yml
- github.com/stevegeek/encoded_id-rails
- github.com/stevegeek/encoded_id-rails/commit/afa495a77b8a21ad582611f9cdc2081dc4018b91
- github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c
- nvd.nist.gov/vuln/detail/CVE-2024-0241
Code Behaviors & Features
Detect and mitigate CVE-2024-0241 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →