EUVD-2026-18474
GHSA-v6x5-cg8r-vv6x
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4Tags
Description
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
Analysis
Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all applications and services running affected Rack versions (3.0.0-3.1.20, 3.2.0-3.2.5) and assess production exposure. Within 7 days: Deploy vendor-released patches immediately-upgrade to Rack 3.1.21 or 3.2.6 depending on current version track, and test in staging environments before production rollout. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today