Rack, a modular Ruby web server interface, has a flaw in its multipart form data parser that allows an attacker to trigger extreme CPU usage. The vulnerability originates from repeated string search operations performed on quoted multipart parameters, creating a super‑linear processing time when many backslash‑escaped values are present. By sending a crafted multipart/form‑data request containing numerous parts with long escape‑heavy values, an unauthenticated attacker can force the parser to consume disproportionate CPU resources, effectively denying service to legitimate users.

The affected product is Rack, spanning versions from 3.0.0.beta1 up to just before 3.1.21, and from 3.2.0 up to just before 3.2.6. Ruby applications that rely on any of these vulnerable releases are susceptible to the denial‑of‑service condition unless they have been upgraded beyond these version ranges.

The CVSS score of 7.5 reflects a high severity, though no EPSS data is available and the issue is not listed in the CISA KEV catalog. The attack vector is remote and unauthenticated, requiring only the ability to send HTTP requests. Successful exploitation does not reveal or corrupt data but can severely degrade application availability by monopolizing CPU resources. In the absence of publicly released exploit code, the risk is primarily determined by the presence of vulnerable Rack versions and the exposure of the application to the Internet.