CVE-2026-34829
published 2026-04-02CVE-2026-34829: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO…
PriorityP347high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.37%
28.7th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 3.2.6-2 (sid) | ruby-rack 3.2.6-2 (sid) |
| rack | rack | < 2.2.23 | 2.2.23 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.23 | 2.2.23 |
| rack | rack | >= 3.0.0 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.0.0.beta1 < 3.1.21 | 3.1.21 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
| rack | rack | >= 3.2.0 < 3.2.6 | 3.2.6 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu3.7LOW
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
CVE-2026-34829: (Rack is a modular Ruby web server interface
osv·2026-04-03·CVSS 7.5
CVE-2026-34829 [HIGH] CVE-2026-34829: (Rack is a modular Ruby web server interface
(Rack is a modular Ruby web server interface. Prior to versions 2.2.23, ...)
OSV
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
osv·2026-04-02
CVE-2026-34829 [HIGH] Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
## Summary
`Rack::Multipart::Parser` only wraps the request body in a `BoundedIO` when `CONTENT_LENGTH` is present. When a `multipart/form-data` request is sent without a `Content-Length` header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit.
For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space.
This results in a denial of service condition for Rack applications that accept multipart form data.
## Detai
OSV
CVE-2026-34829: Rack is a modular Ruby web server interface
osv·2026-04-02·CVSS 7.5
CVE-2026-34829 [HIGH] CVE-2026-34829: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versio
GHSA
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
ghsa·2026-04-02
CVE-2026-34829 [HIGH] CWE-400 Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
## Summary
`Rack::Multipart::Parser` only wraps the request body in a `BoundedIO` when `CONTENT_LENGTH` is present. When a `multipart/form-data` request is sent without a `Content-Length` header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit.
For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space.
This results in a denial of service condition for Rack applications that accept multipart form data.
## Detai
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-04-17·CVSS 3.7
CVE-2026-26962 [LOW] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Andrew Lacambra discovered that Rack did not properly parse certain regular
expressions. An attacker could possibly use this issue to bypass network
security filters. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, and Ubuntu 25.10. (CVE-2026-26961)
William T. Nelson discovered that Rack did not handle multipart headers
correctly. An attacker could possibly use this issue to cause downstream
parsing issues or a denial of service. This issue only affected Ubuntu
25.10. (CVE-2026-26962)
It was discovered that Rack did not handle the Forwarded header correctly.
An attacker could possibly use this issue to manipulate header values. This
issue only affected Ubuntu 25.10. (CVE-2026
Red Hat
rack: Rack: Denial of Service via unbounded multipart file upload
vendor_redhat·2026-04-02·CVSS 7.5
CVE-2026-34829 [HIGH] CWE-770 rack: Rack: Denial of Service via unbounded multipart file upload
rack: Rack: Denial of Service via unbounded multipart file upload
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications tha
Debian
CVE-2026-34829: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
vendor_debian·2026·CVSS 7.5
CVE-2026-34829 [HIGH] CVE-2026-34829: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versio
No detection rules found.
No public exploits indexed.
2026-04-02
Published