#VU53004 Use-after-free in Ruby on Rails

Published: 2021-05-10

Vulnerability identifier: #VU53004

Vulnerability risk: Medium


CVE-ID: CVE-2021-22904


Exploitation vector: Network

Exploit availability:

Vulnerable software:
Ruby on Rails
Universal components / Libraries / Scripting languages

Vendor: Rails


The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a use-after-free error in the Token Authentication logic in Action Controller. A remote attacker can send a specially crafted request and cause a denial of service condition on the target system. 

Install updates from vendor's website.

Vulnerable software versions

Ruby on Rails: 4.0.0 -

Fixed software versions


External links

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability