CVE-2022-44566 – This CVE describes a denial of service vulnerab... (How to Fix)

Q: How do I fix CVE-2022-44566?

1. Update your Gemfile to specify 'gem "activerecord", ">= 7.0.4.1"' or 'gem "activerecord", ">= 6.1.7.1"' depending on your Rails version. 2. Run 'bundle update activerecord'. 3. Restart your application server.

Q: What is the severity of CVE-2022-44566?

CVE-2022-44566 has a CVSS score of 7.5 (HIGH). This CVE describes a denial of service vulnerability in ActiveRecord's PostgreSQL adapter where providing integer values outside the 64-bit signed range causes PostgreSQL to perform slow sequential scans instead of efficient index scans. This affects Ruby on Rails applications using PostgreSQL with vulnerable ActiveRecord versions, potentially allowing attackers to degrade database performance.

📋 TL;DR

This CVE describes a denial of service vulnerability in ActiveRecord's PostgreSQL adapter where providing integer values outside the 64-bit signed range causes PostgreSQL to perform slow sequential scans instead of efficient index scans. This affects Ruby on Rails applications using PostgreSQL with vulnerable ActiveRecord versions, potentially allowing attackers to degrade database performance.

💻 Affected Systems

Products:

Ruby on Rails ActiveRecord PostgreSQL adapter

Versions: ActiveRecord PostgreSQL adapter versions <7.0.4.1 and <6.1.7.1

Operating Systems: All operating systems running affected Ruby on Rails applications

Default Config Vulnerable: ⚠️ Yes

Notes: Only affects applications using PostgreSQL database with ActiveRecord. Applications using other database adapters are not affected.

📦 What is this software?

Activerecord by Activerecord Project

View all CVEs affecting Activerecord →

Activerecord by Activerecord Project

View all CVEs affecting Activerecord →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete database performance degradation leading to application unavailability, potentially affecting all users and causing extended downtime.

🟠

Likely Case

Significant database slowdown affecting application responsiveness, potentially causing partial service disruption for users.

🟢

If Mitigated

Minimal impact with proper query monitoring and rate limiting in place, though some performance degradation may still occur.

🌐 Internet-Facing: HIGH - Attackers can exploit this without authentication by crafting malicious requests to vulnerable endpoints.

🏢 Internal Only: MEDIUM - Internal users could still cause performance issues, but attack surface is more limited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires finding endpoints that accept integer parameters that get passed to PostgreSQL queries. The technique is well-documented in public references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: ActiveRecord PostgreSQL adapter versions 7.0.4.1 and 6.1.7.1

Vendor Advisory: https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119

Restart Required: Yes

Instructions:

1. Update your Gemfile to specify 'gem "activerecord", ">= 7.0.4.1"' or 'gem "activerecord", ">= 6.1.7.1"' depending on your Rails version. 2. Run 'bundle update activerecord'. 3. Restart your application server.

🔧 Temporary Workarounds

Input validation for integer parameters

all

Add validation to ensure integer parameters are within 64-bit signed range before passing to database queries

Query monitoring and rate limiting

all

Implement monitoring for slow queries and rate limiting on endpoints that accept integer parameters

🧯 If You Can't Patch

Implement strict input validation on all endpoints accepting integer parameters to reject values outside 64-bit signed range
Deploy database query monitoring with alerts for sequential scans on indexed columns and implement WAF rules to block suspicious parameter patterns

🔍 How to Verify

Check if Vulnerable:

Check your Gemfile.lock for activerecord version and ensure it's not <7.0.4.1 (for Rails 7) or <6.1.7.1 (for Rails 6.1)

Check Version:

bundle list | grep activerecord

Verify Fix Applied:

After updating, verify activerecord version in Gemfile.lock is >=7.0.4.1 or >=6.1.7.1 and test that queries with out-of-range integers no longer cause sequential scans

📡 Detection & Monitoring

Log Indicators:

PostgreSQL logs showing sequential scans on indexed columns
Application logs showing slow query responses
Unusually large integer values in request parameters

Network Indicators:

Increased response times for database queries
Spikes in database CPU usage

SIEM Query:

source="postgresql" AND "sequential scan" AND duration>1000ms

📊 Metadata

CVE ID: CVE-2022-44566

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: February 9, 2023

Last Updated: March 25, 2025

🔗 References

https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html Exploit,Mitigation,Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119 Patch,Vendor Advisory
https://code.jeremyevans.net/2022-11-01-forcing-sequential-scans-on-postgresql.html Exploit,Mitigation,Third Party Advisory
https://discuss.rubyonrails.org/t/cve-2022-44566-possible-denial-of-service-vulnerability-in-activerecords-postgresql-adapter/82119 Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-44566, you might also want to check these: