Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via CPU exhaustion
Action: Immediate Patch
AI Analysis

Impact

Rack is a modular Ruby web server interface. In versions prior to 2.2.23, 3.1.21, and 3.2.6, the method used to choose the response encoding is vulnerable to a quadratic time complexity attack when the Accept‑Encoding header contains many wildcard entries. An unauthenticated attacker can send a single request with a maliciously crafted Accept‑Encoding header and cause disproportionate CPU consumption in the compression middleware path. This results in a denial of service condition for any application that uses Rack::Deflater. The CVSS score of 5.3 indicates a moderate severity and the vulnerability is not listed in the known exploited vulnerabilities catalog.

Affected Systems

Ruby web applications that use the Rack library and enable the Rack::Deflater middleware are affected. The vulnerability exists in all older releases of Rack before versions 2.2.23, 3.1.21, and 3.2.6. Upgrading to the patched releases eliminates the problem.

Risk and Exploitability

The risk is moderate but the attack can be performed without authentication from anywhere on the internet by sending a specially crafted HTTP request. Although no EPSS score is available, the moderate CVSS score combined with the ability to trigger a CPU‑heavy loop makes the vulnerability potentially exploitable against poorly protected services. The lack of a KEV listing suggests no widespread exploitation yet, but the simple request‑based nature warrants prompt patching.

Generated by OpenCVE AI on April 2, 2026 at 22:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Rack library to at least version 2.2.23, 3.1.21, or 3.2.6, which contain the fix for the quadratic complexity issue.
  • Verify that the application is using the updated library and that Rack::Deflater is active.
  • If an immediate upgrade is not possible, consider disabling Rack::Deflater or limiting the Accept‑Encoding header length in the web server configuration to mitigate the impact.

Generated by OpenCVE AI on April 2, 2026 at 22:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v569-hp3g-36wr Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
History

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Weaknesses CWE-400
CWE-407
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:19:00.388Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34230

cve-icon Vulnrichment

Updated: 2026-04-02T18:56:48.670Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:23.570

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34230

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T16:41:21Z

Links: CVE-2026-34230 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:31Z

Weaknesses