Upstream information
Description
Action Text brings rich text content and editing to Rails. Starting in version 6.0.0 and prior to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, and 7.2.1.1, there is a possible ReDoS vulnerability in the `plain_text_for_blockquote_node helper` in Action Text. Carefully crafted text can cause the `plain_text_for_blockquote_node` helper to take an unexpected amount of time, possibly resulting in a DoS vulnerability. All users running an affected release should either upgrade to versions 6.1.7.9, 7.0.8.5, 7.1.4.1, or 7.2.1.1 or apply the relevant patch immediately. As a workaround, users can avoid calling `plain_text_for_blockquote_node` or upgrade to Ruby 3.2. Ruby 3.2 has mitigations for this problem, so Rails applications using Ruby 3.2 or newer are unaffected. Rails 8.0.0.beta1 depends on Ruby 3.2 or greater so is unaffected.SUSE information
Overall state of this security issue: Resolved
This issue is currently rated as having moderate severity.
| CVSS detail | SUSE | 
|---|---|
| Base Score | 5.9 | 
| Vector | CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H | 
| Attack Vector | Network | 
| Attack Complexity | High | 
| Privileges Required | None | 
| User Interaction | None | 
| Scope | Unchanged | 
| Confidentiality Impact | None | 
| Integrity Impact | None | 
| Availability Impact | High | 
| CVSSv3 Version | 3.1 | 
| CVSS detail | CNA (GitHub) | 
|---|---|
| Base Score | 6.6 | 
| Vector | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X | 
| Attack Vector | Network | 
| Attack Complexity | Low | 
| Attack Requirements | None | 
| Privileges Required | None | 
| User Interaction | None | 
| Vulnerable System Confidentiality Impact | None | 
| Vulnerable System Integrity Impact | None | 
| Vulnerable System Availability Impact | High | 
| Subsequent System Confidentiality Impact | None | 
| Subsequent System Integrity Impact | None | 
| Subsequent System Availability Impact | None | 
| CVSSv4 Version | 4.0 | 
SUSE Security Advisories:
- openSUSE-SU-2024:14473-1, published Fri Nov 8 18:50:07 2024
- openSUSE-SU-2024:14479-1, published Sat Nov 9 18:49:26 2024
- openSUSE-SU-2025:15111-1, published Sun May 18 18:50:31 2025
- openSUSE-SU-2025:15124-1, published Sun May 18 18:50:31 2025
List of released packages
| Product(s) | Fixed package version(s) | References | 
|---|---|---|
| openSUSE Tumbleweed | 
 | Patchnames: openSUSE-Tumbleweed-2024-14473 openSUSE-Tumbleweed-2024-14479 openSUSE-Tumbleweed-2025-15111 openSUSE-Tumbleweed-2025-15124 | 
SUSE Timeline for this CVE
CVE page created: Wed Oct 16 06:00:51 2024CVE page last modified: Mon Oct 6 19:59:49 2025
