The vulnerability resides in Rack::Utils.get_byte_ranges, which parses the HTTP Range header without limiting the number of byte ranges. An attacker can supply an arbitrary number of overlapping ranges such as 0-0,0-0,0-0,…, causing the server to consume excessive CPU, memory, I/O, and bandwidth while processing the request. This behavior results in a denial of service on Rack file‑serving paths that handle multipart range responses. The weakness corresponds to CWE‑400 (Uncontrolled Resource Consumption) and CWE‑770 (Allocation of Excessively Large Amount of Memory). The impact is a degradation or complete loss of service for the affected web application; there is no direct compromise of data confidentiality or integrity.

Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 are affected. Any Ruby application or web server that uses the Rack interface and relies on those versions is at risk. The issue is mitigated in the listed patched releases. No other vendors or products are enumerated beyond Rack; but any service that packages Rack under older versions would also be vulnerable.

The CVSS base score is 5.3, indicating a moderate severity vulnerability. No EPSS score is available, and the vulnerability is not currently listed in the CISA KEV catalog. The attack can be executed remotely by crafting an HTTP request with a specially formed Range header, without authentication or elevated privileges. Because the vulnerability is triggered by high traffic of range requests, a determined attacker could impact high‑traffic servers, potentially exhausting resources and rendering the application unavailable.