Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Published: 2026-04-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Rack is a modular Ruby web‑server interface. In versions older than 2.2.23, 3.1.21, and 3.2.6 the multipart parser does not wrap the request body in a bounded stream when the request lacks a Content‑Length header. Consequently, the parser streams the entire payload until the end of the stream, writing file parts directly to a temporary file on disk without any size limit. An attacker can therefore upload an arbitrarily large multipart file and exhaust available disk space, causing the application to become unresponsive.

Affected Systems

All Rack applications that use the rack library prior to the patched releases are affected. The vulnerability applies to deployments that accept multipart/form‑data via the rack interface. The issue has been resolved in rack releases 2.2.23, 3.1.21, and 3.2.6.

Risk and Exploitability

The CVSS score of 7.5 indicates a high impact, and the vulnerability is exploitable by any user capable of sending HTTP requests; no authentication is required. Based on the description, it is inferred that an attacker can trigger the denial of service by sending a multipart/form‑data request without a Content‑Length header, such as using chunked transfer encoding. EPSS data is not available and the vulnerability is not yet listed in the CISA KEV catalog, but the combination of unauthenticated access and the ability to consume disk space makes this a serious risk for affected deployments.

Generated by OpenCVE AI on April 2, 2026 at 23:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to at least version 2.2.23 for 2.x releases, 3.1.21 for 3.x releases, or 3.2.6 for the 3.2 branch
  • If an immediate update is not possible, configure the web server or Rack application to enforce an upload size limit or require the Content‑Length header
  • Set up disk space monitoring and alerts to detect unusual consumption
  • If the application is behind a reverse proxy or load balancer that can reject oversized requests, enable that to pre‑empt the attack

Generated by OpenCVE AI on April 2, 2026 at 23:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8vqr-qjwx-82mw Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
History

Fri, 03 Apr 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Title Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Weaknesses CWE-400
CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-02T17:41:33.990Z

Reserved: 2026-03-30T20:52:53.284Z

Link: CVE-2026-34829

cve-icon Vulnrichment

Updated: 2026-04-02T17:41:29.860Z

cve-icon NVD

Status : Undergoing Analysis

Published: 2026-04-02T17:16:26.103

Modified: 2026-04-03T16:10:23.730

Link: CVE-2026-34829

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-03T09:18:23Z

Weaknesses