CVE-2026-34230Uncontrolled Resource Consumption in Rack

CWE-400Uncontrolled Resource ConsumptionCWE-407Inefficient Algorithmic ComplexityCWE-1050Excessive Platform Resource Consumption within a Loop10 documents8 sources
Severity
5.3MEDIUMNVD
EPSS
0.1%
top 80.38%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedApr 2
Latest updateApr 17

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:LExploitability: 3.9 | Impact: 1.4

Affected Packages2 packages

CVEListV5rack/rack< 2.2.23+2
RubyGemsrack/rack3.0.0.beta13.1.21+2

🔴Vulnerability Details

5
OSV
CVE-2026-34230: (Rack is a modular Ruby web server interface2026-04-03
GHSA
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header2026-04-02
OSV
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header2026-04-02
OSV
CVE-2026-34230: Rack is a modular Ruby web server interface2026-04-02
CVEList
Rack: Quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header2026-04-02

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-04-17
Red Hat
rack: Rack: Denial of Service via crafted Accept-Encoding header2026-04-02
Debian
CVE-2026-34230: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...2026

🕵️Threat Intelligence

1
Wiz
CVE-2026-34230 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-34230 — Uncontrolled Resource Consumption | cvebase