25 cards
Posted over 3 years ago. Visible to the public.

[CVE-2018-15578] Denial of Service vulnerability in Rails 3.2 LTS (Active Record)

There is a possible ReDoS (regular expression denial of service) vulnerability in the activerecord gem that is part of Rails LTS. An attacker using a specially crafted request can cause an application with certain vulnerable code to consume an excessive amount of CPU time.

Affected versions: Rails LTS and lower, Rails LTS and lower
Unaffected versions: Rails 2.3 LTS

Note: The flaw is also present in the official non-LTS 3.x version of Active Record, which is no longer maintained. Other non-LTS Rails versions are not affected.


Specially crafted requests can be used to consume an excessive amount of CPU time. This happens when the application passes
user input to an activerecord query that also uses the .includes method, like this:

Article.includes(:comments).where(title: params[:title])

The request needs to be somewhat large, but it is possible to consume over a minute of CPU time with a 100kB request. Thus, the attack is more effective when the vulnerable code can be reached with a POST request.


A fixed version of Rails 3.2 LTS has been released in the usual location.


Thanks to Pete Brumm for discovering and reporting this issue.

Owner of this card:

Tobias Kraze
Last edit:
over 3 years ago
by Tobias Kraze
This website uses short-lived cookies to improve usability.
Accept or learn more