Vulnerabilities

 9 via 39 paths

Dependencies

 66

Source

 GitHub

Commit

 e9e400c7

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 9
  • 1
Severity
  • 7
  • 3
Status
  • 10
  • 0
  • 0

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the Rack::QueryParser. An attacker can exhaust memory and CPU by sending HTTP requests containing an excessively large number of &-separated query parameters.

Workaround

This vulnerability can be avoided by any means that limits the length of incoming raw strings or application/x-www-form-urlencoded data, including application-level limitation or employing middleware.

Remediation

Upgrade rack to version 2.2.14, 3.0.16, 3.1.14 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the Content-Disposition header parsing. An attacker can cause the server to consume excessive resources and potentially crash by sending specially crafted requests that exploit this inefficiency.

Remediation

Upgrade rack to version 3.1.16 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can exhaust system memory and cause process termination or severe slowdown by sending multipart requests with headers that never terminate, leading to unbounded memory allocation.

Workaround

This vulnerability can be mitigated by restricting maximum request sizes at the proxy or web server layer, such as configuring Nginx with client_max_body_size.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can exhaust system memory by sending multipart form submissions with excessively large non-file fields, leading to process crashes or degraded performance due to memory exhaustion and increased garbage collection overhead.

Workaround

This vulnerability can be mitigated by restricting the maximum request body size at the web-server or proxy layer (such as configuring Nginx client_max_body_size) and by validating and rejecting unusually large form fields at the application level.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Multipart::Parser. An attacker can cause excessive memory consumption and potential process termination by sending multipart/form-data requests with a large preamble, leading to significant memory spikes and possible denial of service. The impact increases with higher allowed request sizes and concurrency.

Workaround

This vulnerability can be mitigated by limiting the total request body size at the proxy or web server level and by monitoring memory usage and setting per-process memory limits to prevent out-of-memory conditions.

Remediation

Upgrade rack to version 2.2.19, 3.1.17, 3.2.2 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling via the Rack::Request#POST process. An attacker can exhaust system memory by sending large application/x-www-form-urlencoded request bodies, causing application slowdowns or termination by the operating system due to out-of-memory conditions. This occurs before any parameter parsing or configured parsing limits are enforced, allowing unbounded memory allocation proportional to the request size and concurrency.

Workaround

This vulnerability can be mitigated by enforcing strict maximum body size at the proxy or web server layer, such as configuring Nginx client_max_body_size or Apache LimitRequestBody.

Remediation

Upgrade rack to version 3.2.3, 3.1.18, 2.2.20 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

OS Command Injection

  • Vulnerable module: thor
  • Introduced through: solargraph@0.54.0

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f solargraph@0.54.0 thor@1.3.2
    Remediation: Upgrade to solargraph@0.54.0.

Overview

Affected versions of this package are vulnerable to OS Command Injection via the merge tool. An attacker can execute arbitrary commands by supplying crafted input that is improperly handled during the construction of commands.

Remediation

Upgrade thor to version 1.4.0 or higher.

References

OS Command Injection vulnerability report

medium severity

Information Exposure

  • Vulnerable module: rack
  • Introduced through: rack-test@2.2.0, rackup@2.2.1 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rack-test@2.2.0 rack@3.1.13
    Remediation: Upgrade to rack-test@2.2.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rackup@2.2.1 rack@3.1.13
    Remediation: Upgrade to rackup@2.2.1.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq@8.0.3.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to rspec-sidekiq@5.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3 rack@3.1.13
    Remediation: Upgrade to sidekiq-alive-next@3.2.0.

Overview

rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Affected versions of this package are vulnerable to Information Exposure in the Rack::Sendfile() when running behind a proxy that supports x-sendfile headers. An attacker can access internal endpoints intended to be protected by sending specially crafted x-sendfile-type or x-accel-mapping headers, causing the proxy to reissue internal requests that bypass access controls. This is only exploitable if the application uses Rack::Sendfile with a proxy supporting x-accel-redirect, the proxy does not always set or remove the x-sendfile-type and x-accel-mapping headers, and the application exposes an endpoint that returns a body responding to .to_path.

Workaround

This vulnerability can be mitigated by configuring the proxy to always set or strip the affected headers, or by disabling sendfile functionality in Rails applications.

Remediation

Upgrade rack to version 2.2.20, 3.1.18, 3.2.3 or higher.

References

Information Exposure vulnerability report

medium severity

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')

  • Vulnerable module: rexml
  • Introduced through: simplecov-cobertura@2.1.0 and solargraph@0.54.0

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f simplecov-cobertura@2.1.0 rexml@3.4.1
    Remediation: Upgrade to simplecov-cobertura@2.1.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f solargraph@0.54.0 kramdown@2.5.1 rexml@3.4.1
    Remediation: Upgrade to solargraph@0.54.0.
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f solargraph@0.54.0 kramdown-parser-gfm@1.1.0 kramdown@2.5.1 rexml@3.4.1
    Remediation: Upgrade to solargraph@0.54.0.

Overview

rexml is an An XML toolkit for Ruby.

Affected versions of this package are vulnerable to Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') due to parsing XML. An attacker can cause excessive resource consumption and disrupt service availability by submitting specially crafted XML files containing multiple XML declarations.

Remediation

Upgrade rexml to version 3.4.2 or higher.

References

Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') vulnerability report

medium severity

LGPL-3.0 license

  • Module: sidekiq
  • Introduced through: sidekiq@8.0.3, rspec-sidekiq@5.1.0 and others

Detailed paths

  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq@8.0.3
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f rspec-sidekiq@5.1.0 sidekiq@8.0.3
  • Introduced through: andrcuns/sidekiq-alive@andrcuns/sidekiq-alive#e9e400c757f25b91cee98adf487eff825d23476f sidekiq-alive-next@3.2.0 sidekiq@8.0.3

LGPL-3.0 license

LGPL-3.0 license vulnerability report