cvedb.io
CVE-2023-28846
MEDIUM · CVSS 5.9
EPSS exploitation probability: 0%
Published 2023-03-30T20:15:07.780 · Last modified 2026-06-17T05:48:54.227

Summary

Unpoly is a JavaScript framework for server-side web applications. There is a possible Denial of Service (DoS) vulnerability in the `unpoly-rails` gem that implements the Unpoly server protocol for Rails applications. This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks. The `unpoly-rails` gem echoes the request URL as an `X-Up-Location` response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header. If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application insta

Affected products

unpoly — unpoly-rails

Does this affect you?

Add your gear to cvedb and we'll alert you only when unpoly ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.