EUVD-2026-18392
GHSA-q2ww-5357-x388
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Analysis
HTTP response desynchronization in Rack web server framework versions prior to 2.2.23, 3.1.21, and 3.2.6 allows remote attackers to cause Content-Length header mismatches by requesting non-existent paths with percent-encoded UTF-8 characters. The vulnerability stems from Rack::Files#fail using String#size instead of String#bytesize when setting Content-Length, causing declared header values to be smaller than actual bytes transmitted, potentially leading to response framing errors and information disclosure in deployments sensitive to Content-Length validation. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today