Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

Rack::Utils.select_best_encoding operates with quadratic time complexity when parsing Accept-Encoding headers that contain many wildcard (*) entries. The method is called by the Rack::Deflater middleware to decide which compression format to use for responses. An unauthenticated attacker can construct a single HTTP request with a crafted Accept-Encoding header that forces Rack::Deflater to exercise the quadratic algorithm, exhausting CPU resources. The result is a denial‑of‑service condition for any application that relies on Rack::Deflater, as legitimate requests may be delayed or dropped.

Affected Systems

The issue affects any Ruby web application that uses the Rack library prior to release 2.2.23, 3.1.21, or 3.2.6. The vulnerability is documented by the rack:rack CNA. Upgrading to the corresponding patch release or later eliminates the vulnerability.

Risk and Exploitability

The CVSS score of 5.3 reflects moderate severity; the EPSS score of less than 1% and the absence from the CISA KEV list suggest a low probability of widespread exploitation. Nevertheless the flaw is remote and unauthenticated, requires only a single crafted HTTP request, and can cause immediate service disruption when the vulnerable Rack version is in use.

Generated by OpenCVE AI on April 4, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update Rack to version 2.2.23, 3.1.21, or 3.2.6 (or newer) depending on your application's major version.
  • If immediate upgrade is impractical, temporarily remove or disable the Rack::Deflater middleware until the patch is applied.

Generated by OpenCVE AI on April 4, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v569-hp3g-36wr Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Ubuntu USN Ubuntu USN USN-8182-1 Rack vulnerabilities
History

Thu, 16 Apr 2026 17:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Sat, 04 Apr 2026 01:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-1050
References
Metrics threat_severity

None

 threat_severity

Moderate

Fri, 03 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Weaknesses CWE-400
CWE-407
References
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-03T18:19:00.388Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34230

cve-icon Vulnrichment

Updated: 2026-04-02T18:56:48.670Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T17:16:23.570

Modified: 2026-04-16T17:27:43.037

Link: CVE-2026-34230

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-02T16:41:21Z

Links: CVE-2026-34230 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:02Z

Weaknesses