Skip to main content

Rack CVE-2026-34827

| EUVDEUVD-2026-18474 HIGH
Inefficient Algorithmic Complexity (CWE-407)
2026-04-02 GitHub_M GHSA-v6x5-cg8r-vv6x
7.5
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SUSE
HIGH
qualitative
Red Hat
7.5 HIGH
qualitative

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
None
Availability
High

Lifecycle Timeline

5
Re-analysis Queued
Apr 24, 2026 - 12:52 vuln.today
cvss_changed
Patch released
Apr 03, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 02, 2026 - 17:30 euvd
EUVD-2026-18474
Analysis Generated
Apr 02, 2026 - 17:30 vuln.today
CVE Published
Apr 02, 2026 - 17:07 nvd
HIGH 7.5

DescriptionCVE.org

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.

AnalysisAI

Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. CVSS 7.5 (High) with network-accessible attack vector and low complexity. Vendor-released patches available in versions 3.1.21 and 3.2.6. No public exploit identified at time of analysis, though EPSS data not provided to assess probability of exploitation.

Technical ContextAI

Rack serves as the foundational web server interface for Ruby applications, including Ruby on Rails and Sinatra frameworks. The vulnerability resides in Rack::Multipart::Parser#handle_mime_head, which processes Content-Disposition headers in multipart/form-data requests. The parser uses a String#index search combined with String#slice! for extracting quoted parameter values, creating a quadratic-time algorithm (CWE-407: Inefficient Algorithmic Complexity) when processing escape sequences. Each backslash in a quoted value forces the parser to scan incrementally through the string, with prefix deletion compounding the inefficiency. For input containing n escape sequences, this results in O(n²) time complexity. The affected component handles standard HTTP file uploads and form submissions, making it widely exposed in web applications accepting user-generated content.

RemediationAI

Vendor-released patches are available in Rack versions 3.1.21 and 3.2.6, which address the algorithmic complexity issue in multipart parameter parsing. Organizations should immediately upgrade to these patched versions based on their current release branch: upgrade to 3.1.21 if running the 3.0.x or 3.1.x series, or upgrade to 3.2.6 if running the 3.2.x series. For Ruby on Rails applications, update the Rack dependency in your Gemfile by specifying gem 'rack', '~> 3.1.21' or '~> 3.2.6' as appropriate, then run bundle update rack. For Sinatra and other Rack-based frameworks, apply the same Gemfile update process. After upgrading, verify the installed version with bundle show rack or gem list rack. If immediate patching is not feasible, consider temporary mitigations including strict request size limits for multipart uploads (reducing attack payload size), aggressive request timeouts for form processing (limiting CPU consumption per request), and rate limiting on upload endpoints (restricting attack frequency). Consult the official GitHub security advisory at https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x for additional vendor guidance and release notes.

More in Rack

View all
CVE-2026-22860 HIGH POC
7.5 Feb 18

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list

CVE-2024-26141 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2024-25126 HIGH POC
7.5 Feb 29

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2020-8184 HIGH POC
7.5 Jun 19

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 tha

CVE-2022-30123 CRITICAL
10.0 Dec 05

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell

CVE-2025-25184 MEDIUM POC
5.7 Feb 12

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability

CVE-2026-25500 MEDIUM POC
5.4 Feb 18

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft

CVE-2020-8161 HIGH
8.6 Jul 02

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerabi

CVE-2013-0263 MEDIUM
5.1 Feb 08

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x

CVE-2025-46727 HIGH
7.5 May 07

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

CVE-2015-3225 MEDIUM
5.0 Jul 26

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products

CVE-2025-59830 HIGH
7.5 Sep 25

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable,

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 16.1 Fixed
SUSE Linux Enterprise High Performance Computing 15 SP7 Fixed
SUSE Linux Enterprise Module for Public Cloud 15 SP7 Fixed

Share

CVE-2026-34827 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy