CVE-2026-34230

NameCVE-2026-34230
DescriptionRack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u5vulnerable
bookworm2.2.20-0+deb12u1vulnerable
bookworm (security)2.2.22-0+deb12u1vulnerable
trixie3.1.18-1~deb13u1vulnerable
trixie (security)3.1.20-0+deb13u1vulnerable
forky3.1.18-1vulnerable
sid3.2.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourceexperimental3.2.6-1
ruby-racksource(unstable)(unfixed)

Notes

https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
Fixed by: https://github.com/rack/rack/commit/8bf0c2eb5936eb79207f3a0be63196e7726bcb0a (v3.2.6)
Fixed by: https://github.com/rack/rack/commit/55db26e7f43d3d45e1476f02ada75e0503abc2f1 (v3.1.21)
Fixed by: https://github.com/rack/rack/commit/8d6a0e1088a6e00259bd525506a9c4b1b69f675b (v2.2.23)
Search for package or bug name: Reporting problems