Dependency vulnerability alerts for Ruby on Rails (advisory; requires confirmation).
# Ruby on Rails security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2024-26143 — Rails ReDoS in Accept header parsing Context: Malformed Accept headers with excessive alternation can cause catastrophic regex backtracking and deny service. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-26143 WHEN you detect `rails` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-26143: rails may be vulnerable. Malformed Accept headers with excessive alternation can cause catastrophic regex backtracking and deny service. Patched versions: rails >=7.1.3.2 CHECK for dependency conflicts before proposing any upgrade: Run: `bundle info rails` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-26142 — Rails ReDoS in HTTP Token authentication Context: Malformed HTTP token authentication headers can cause excessive regex backtracking and denial of service. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-26142 WHEN you detect `rails` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-26142: rails may be vulnerable. Malformed HTTP token authentication headers can cause excessive regex backtracking and denial of service. Patched versions: rails >=7.1.3.2 CHECK for dependency conflicts before proposing any upgrade: Run: `bundle info rails` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---
# Ruby on Rails security dependency alerts Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files. Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades. ### CVE-2024-26143 — Rails ReDoS in Accept header parsing Context: Malformed Accept headers with excessive alternation can cause catastrophic regex backtracking and deny service. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-26143 WHEN you detect `rails` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-26143: rails may be vulnerable. Malformed Accept headers with excessive alternation can cause catastrophic regex backtracking and deny service. Patched versions: rails >=7.1.3.2 CHECK for dependency conflicts before proposing any upgrade: Run: `bundle info rails` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade --- ### CVE-2024-26142 — Rails ReDoS in HTTP Token authentication Context: Malformed HTTP token authentication headers can cause excessive regex backtracking and denial of service. Source: https://nvd.nist.gov/vuln/detail/CVE-2024-26142 WHEN you detect `rails` in this project at a vulnerable version: WARN the developer: ⚠️ CVE-2024-26142: rails may be vulnerable. Malformed HTTP token authentication headers can cause excessive regex backtracking and denial of service. Patched versions: rails >=7.1.3.2 CHECK for dependency conflicts before proposing any upgrade: Run: `bundle info rails` DO NOT modify dependency files without developer confirmation. WHEN the developer confirms they want to upgrade: 1. Show the dependency tree output and identify conflicts 2. Propose a migration plan (including breaking changes) before editing files 3. Only then apply the upgrade ---