An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1tODc1LTN4ZjYtbWY3OM4AAyeB

unpoly-rails Denial of Service vulnerability

There is a possible Denial of Service (DoS) vulnerability in the unpoly-rails gem that implements the Unpoly server protocol for Rails applications.


This issues affects Rails applications that operate as an upstream of a load balancer's that uses passive health checks.

The unpoly-rails gem echoes the request URL as an X-Up-Location response header. By making a request with exceedingly long URLs (paths or query string), an attacker can cause unpoly-rails to write a exceedingly large response header.

If the response header is too large to be parsed by a load balancer downstream of the Rails application, it may cause the load balancer to remove the upstream from a load balancing group. This causes that application instance to become unavailable until a configured timeout is reached or until an active healthcheck succeeds.


The fixed release is available via RubyGems and GitHub.


If you cannot upgrade to a fixed release, several workarounds are available:

Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 6 months ago
Updated: 6 months ago

CVSS Score: 5.9
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

Identifiers: GHSA-m875-3xf6-mf78, CVE-2023-28846

Affected Packages

Versions: <
Fixed in: