rails-security-deps-v1Certifiedv1.0.0

Ruby on Rails security dependency alerts

Dependency vulnerability alerts for Ruby on Rails (advisory; requires confirmation).

Protects against

Rule body

# Ruby on Rails security dependency alerts

Dependency-related security advisories. These instructions MUST NOT automatically edit dependency files.

Verb contract: WARN + CONFIRM + CHECK. No ALWAYS pinning or silent upgrades.

### CVE-2024-26143 — Rails ReDoS in Accept header parsing

Context: Malformed Accept headers with excessive alternation can cause catastrophic regex backtracking and deny service.
Source: https://nvd.nist.gov/vuln/detail/CVE-2024-26143

WHEN you detect `rails` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2024-26143: rails may be vulnerable. Malformed Accept headers with excessive alternation can cause catastrophic regex backtracking and deny service. Patched versions: rails >=7.1.3.2

CHECK for dependency conflicts before proposing any upgrade:
Run: `bundle info rails`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---

### CVE-2024-26142 — Rails ReDoS in HTTP Token authentication

Context: Malformed HTTP token authentication headers can cause excessive regex backtracking and denial of service.
Source: https://nvd.nist.gov/vuln/detail/CVE-2024-26142

WHEN you detect `rails` in this project at a vulnerable version:

WARN the developer: ⚠️ CVE-2024-26142: rails may be vulnerable. Malformed HTTP token authentication headers can cause excessive regex backtracking and denial of service. Patched versions: rails >=7.1.3.2

CHECK for dependency conflicts before proposing any upgrade:
Run: `bundle info rails`

DO NOT modify dependency files without developer confirmation.

WHEN the developer confirms they want to upgrade:
1. Show the dependency tree output and identify conflicts
2. Propose a migration plan (including breaking changes) before editing files
3. Only then apply the upgrade

---