CVE-2024-0241 – CVE-2024-0241 is an uncontrolled resource consu... (How to Fix)

Q: What is the severity of CVE-2024-0241?

CVE-2024-0241 has a CVSS score of 7.5 (HIGH). CVE-2024-0241 is an uncontrolled resource consumption vulnerability in encoded_id-rails gem versions before 1.0.0.beta2. Remote unauthenticated attackers can cause denial of service by sending HTTP requests with extremely long 'id' parameters. This affects all applications using vulnerable versions of the encoded_id-rails gem.

📋 TL;DR

CVE-2024-0241 is an uncontrolled resource consumption vulnerability in encoded_id-rails gem versions before 1.0.0.beta2. Remote unauthenticated attackers can cause denial of service by sending HTTP requests with extremely long 'id' parameters. This affects all applications using vulnerable versions of the encoded_id-rails gem.

💻 Affected Systems

Products:

encoded_id-rails gem

Versions: All versions before 1.0.0.beta2

Operating Systems: Any OS running Ruby on Rails with encoded_id-rails gem

Default Config Vulnerable: ⚠️ Yes

Notes: Any Rails application using encoded_id-rails gem with vulnerable version is affected regardless of configuration.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability due to resource exhaustion, potentially affecting all users and requiring service restart.

🟠

Likely Case

Degraded performance or temporary service disruption for affected endpoints until malicious requests stop.

🟢

If Mitigated

Minimal impact with proper rate limiting, input validation, and resource monitoring in place.

🌐 Internet-Facing: HIGH - Remote unauthenticated exploitation makes internet-facing applications particularly vulnerable.

🏢 Internal Only: MEDIUM - Internal attackers could still exploit, but attack surface is reduced compared to internet-facing.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Simple HTTP request with long parameter makes exploitation trivial. No authentication required.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 1.0.0.beta2 and later

Vendor Advisory: https://github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c

Restart Required: Yes

Instructions:

1. Update Gemfile to 'gem "encoded_id-rails", ">= 1.0.0.beta2"' 2. Run 'bundle update encoded_id-rails' 3. Restart Rails application server

🔧 Temporary Workarounds

Input Length Validation

all

Add middleware or controller validation to limit 'id' parameter length

# In application_controller.rb or relevant controller:
before_action :validate_id_length

def validate_id_length
  if params[:id] && params[:id].length > 1000
    render plain: 'Invalid request', status: 400
  end
end

Rate Limiting

all

Implement rate limiting on affected endpoints to prevent DoS attacks

# Using rack-attack gem:
# In config/initializers/rack_attack.rb
Rack::Attack.throttle('requests by ip', limit: 100, period: 60) do |req|
  req.ip if req.path.match?(/\/your_endpoint_path\//)
end

🧯 If You Can't Patch

Implement Web Application Firewall (WAF) rules to block requests with extremely long 'id' parameters
Deploy reverse proxy with request size limits and timeout configurations

🔍 How to Verify

Check if Vulnerable:

Check Gemfile.lock for encoded_id-rails version: grep -A1 -B1 'encoded_id-rails' Gemfile.lock

Check Version:

bundle show encoded_id-rails

Verify Fix Applied:

Verify installed version: bundle show encoded_id-rails | grep -o '1\.0\.0\.beta[2-9]\|1\.[0-9]+\.[0-9]+'

📡 Detection & Monitoring

Log Indicators:

Multiple 400/500 errors from same IP with long parameter values
Increased memory/CPU usage on application servers
Request timeouts on endpoints using encoded_id

Network Indicators:

HTTP requests with 'id' parameters exceeding 1000 characters
High volume of requests to specific endpoints from single IP

SIEM Query:

source="rails_logs" AND (message="*id=*" AND message.length>1000) OR status=500

📊 Metadata

CVE ID: CVE-2024-0241

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: January 4, 2024

Last Updated: June 18, 2025

🔗 References

https://github.com/advisories/GHSA-3px7-jm2p-6h2c Exploit,Third Party Advisory
https://github.com/stevegeek/encoded_id-rails/commit/afa495a77b8a21ad582611f9cdc2081dc4018b91 Patch
https://github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c Exploit,Vendor Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-3px7-jm2p-6h2c Third Party Advisory
https://github.com/advisories/GHSA-3px7-jm2p-6h2c Exploit,Third Party Advisory
https://github.com/stevegeek/encoded_id-rails/commit/afa495a77b8a21ad582611f9cdc2081dc4018b91 Patch
https://github.com/stevegeek/encoded_id-rails/security/advisories/GHSA-3px7-jm2p-6h2c Exploit,Vendor Advisory
https://vulncheck.com/advisories/vc-advisory-GHSA-3px7-jm2p-6h2c Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-0241, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Encodedid\ by Diaconou

Encodedid\ by Diaconou

Encodedid\ by Diaconou

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Input Length Validation

Rate Limiting

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities