CVE-2021-22904 — Vulnetix

Try Vulnetix Request Demo

CVE-2021-22904 PUBLISHED

The actionpack ruby gem before 6.1.3.2, 6.0.3.7, 5.2.4.6, 5.2.6 suffers from a possible denial of service vulnerability in the Token Authentication logic in Action Controller due to a too permissive regular expression. Impacted code uses `authenticate_or_request_with_http_token` or `authenticate_with_http_token` for request authentication.

EPSS 8.20% · 92.1th percentile

Risk Scores

EPSS Score

8.20%

92.1th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:20.04:LTS	rails	2:5.2.3+dfsg-3ubuntu0.1~esm1, 2:5.2.3+dfsg-3, 2:5.2.2.1+dfsg-1ubuntu1
Ubuntu:24.04:LTS	rails	0, 2:6.1.7.3+dfsg-3, 2:6.1.7.3+dfsg-2build1
Ubuntu:25.10	rails	2:7.2.2.1+dfsg-7, 0, 2:6.1.7.3+dfsg-7
Ubuntu:Pro:22.04:LTS	rails	2:6.1.4.1+dfsg-8ubuntu2+esm1, 2:6.1.4.1+dfsg-8ubuntu2, 2:6.0.3.7+dfsg-2
Ubuntu:Pro:18.04:LTS	rails	2:4.2.9-2, 2:4.2.10-0ubuntu4, 2:4.2.10-0ubuntu4+esm1
Ubuntu:Pro:16.04:LTS	rails	2:4.2.6-1ubuntu0.1~esm1, 2:4.2.6-1ubuntu0.1~esm2, 2:4.2.5.1-1

Timeline

May 5, 2021 CVE Published
Jun 12, 2021 EPSS Score
Jan 6, 2022 EPSS Score
Feb 4, 2022 EPSS Score
Mar 20, 2022 EPSS Score
Mar 7, 2023 EPSS Score
Nov 21, 2024 CVE Updated
Mar 17, 2025 EPSS Score
Mar 21, 2025 EPSS Score
Mar 22, 2025 EPSS Score
Mar 23, 2025 EPSS Score
Mar 24, 2025 EPSS Score

References

https://ubuntu.com/security/CVE-2021-22904 third-party-advisory
https://github.com/rails/rails/commit/eab8c20f3ef6a022c4c11b439b1b22cef1768d5e third-party-advisory
https://github.com/rails/rails/commit/d861fa8ade353390c4419b53a6c6b41f3005b1f2 third-party-advisory
https://github.com/rails/rails/commit/3d9e9fdf14e044b3ba66f909582c228a9d4ffb5c third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2021-22904 third-party-advisory

Open in Interactive Console →