Platform
ruby
Component
actionpack
Fixed in
4.2.5.1
CVE-2016-0751 is a denial-of-service (DoS) vulnerability discovered in Action Pack, a core component of the Ruby on Rails web application framework. This flaw allows remote attackers to exhaust server memory by crafting malicious HTTP Accept headers, potentially causing the application to become unresponsive. The vulnerability affects versions of Ruby on Rails prior to 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, and 5.x before 5.0.0.beta1.1. A fix is available in Rails 4.2.5.1.
Successful exploitation of CVE-2016-0751 can lead to a complete denial of service for a Ruby on Rails application. An attacker can craft a specially designed HTTP Accept header that triggers excessive memory allocation within Action Pack's MIME type cache. This rapid memory consumption can quickly exhaust available resources, causing the web server to become unresponsive to legitimate user requests. The impact extends beyond the immediate application, potentially affecting other services running on the same server if resources are shared. While the vulnerability doesn't directly lead to data exfiltration or code execution, the disruption of service can have significant operational and financial consequences, particularly for critical web applications.
CVE-2016-0751 was publicly disclosed in 2017. While no widespread exploitation campaigns have been definitively linked to this specific CVE, the DoS nature of the vulnerability makes it a potential target for opportunistic attackers. There are publicly available proof-of-concept exploits demonstrating the vulnerability's impact. It is not listed on the CISA KEV catalog as of the current date.
Exploit Status
EPSS
6.14% (91% percentile)
CVSS Vector
The primary mitigation for CVE-2016-0751 is to upgrade to Ruby on Rails version 4.2.5.1 or later. This version includes a fix that restricts the use of the MIME type cache, preventing the memory exhaustion vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out requests with unusually long or complex HTTP Accept headers. Additionally, reviewing and limiting the number of MIME types supported by the application can reduce the attack surface. After upgrading, confirm the fix by sending a crafted HTTP Accept header (as described in vulnerability reports) and verifying that memory consumption remains within acceptable limits.
No official patch available. Check for workarounds or monitor for updates.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2016-0751 is a denial-of-service vulnerability in Ruby on Rails Action Pack, allowing attackers to exhaust server memory with crafted HTTP Accept headers.
You are affected if you are using Ruby on Rails versions 3.2.22.1, 4.0.x and 4.1.x before 4.1.14.1, 4.2.x before 4.2.5.1, or 5.x before 5.0.0.beta1.1.
Upgrade to Ruby on Rails version 4.2.5.1 or later to remediate the vulnerability. Consider WAF rules as a temporary workaround.
While no widespread exploitation campaigns are confirmed, the DoS nature of the vulnerability makes it a potential target for opportunistic attackers.
Refer to the official Ruby on Rails security advisories and vulnerability reports for detailed information: https://github.com/rails/rails/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.