---
engine: ruby
cve: 2008-3656
url: https://www.ruby-lang.org/en/news/2008/08/08/multiple-vulnerabilities-in-ruby/
title: Ruby WEBrick::HTTP::DefaultFileHandler DoS
date: 2008-08-08
description: |
  Algorithmic complexity vulnerability in the
  WEBrick::HTTPUtils.split_header_value function in
  WEBrick::HTTP::DefaultFileHandler in WEBrick in Ruby 1.8.5 and earlier, 1.8.6
  through 1.8.6-p286, 1.8.7 through 1.8.7-p71, and 1.9 through r18423 allows
  context-dependent attackers to cause a denial of service (CPU consumption)
  via a crafted HTTP request that is processed by a backtracking regular
  expression.
cvss_v2: 7.8
patched_versions:
  - ~> 1.8.6.287
  - ~> 1.8.7.72
  - ">= 1.9.0"