There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.
This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.
The unpoly-rails gem echoes the request URL as an X-Up-Location
response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.
If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.
The fixed release 2.7.2.2+ is available via RubyGems and GitHub.
If you cannot upgrade to a fixed release, several workarounds are available:
X-Up-Location
headers set by unpoly-rails:
class ApplicationController < ActionController::Base
after_action :remove_redundant_up_location_header
private
def remove_redundant_up_location_header
if request.original_url == response.headers['X-Up-Location']
response.headers.delete('X-Up-Location')
end
end
end
{ "nvd_published_at": "2023-03-30T20:15:00Z", "cwe_ids": [ "CWE-400" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-03-30T22:58:38Z" }