CVE-2026-34827

NameCVE-2026-34827
DescriptionRack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u5vulnerable
bookworm2.2.20-0+deb12u1vulnerable
bookworm (security)2.2.22-0+deb12u1vulnerable
trixie3.1.18-1~deb13u1vulnerable
trixie (security)3.1.20-0+deb13u1vulnerable
forky3.1.18-1vulnerable
sid3.2.5-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourceexperimental3.2.6-1
ruby-racksource(unstable)(unfixed)

Notes

https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x
Fixed by: https://github.com/rack/rack/commit/bfb69142dbe2a1e3298ad52d12935938d1b58205 (v3.2.6)
Fixed by: https://github.com/rack/rack/commit/17ce7836be1523a7b453f3c06fe070ad7c954708 (v3.1.21)
Search for package or bug name: Reporting problems