Taiphung217

Name of the Vulnerable Software and Affected Versions Rack versions 3.0.0.beta1 through 3.1.21 and versions 3.2.0 through 3.2.6 Description Rack’s `Rack::Multipart::Parser#handle mime head` function parses quoted multipart parameters using repeated `String#index` searches and `String#slice!` operations. This can lead to super-linear processing when handling escape-heavy quoted values. An unauthenticated attacker can send a crafted `multipart/form-data` request with numerous parts containing long, backslash-escaped parameter values to cause excessive CPU usage during multipart parsing, resulting in a denial of service. The vulnerability lies in how the parser handles the `Content-Disposition` header, specifically the `name` attribute within `multipart/form-data` requests. The repeated searching and slicing operations become computationally expensive with heavily escaped strings. The issue affects Rack applications that accept multipart form data. An attacker can exploit this by sending a request with many parts, each containing a `name` parameter with a long string of backslash-escaped characters. This causes the parser to perform a disproportionate amount of CPU work, potentially leading to service degradation or denial of service. Recommendations Update to Rack version 3.1.21 or 3.2.6 or later.

**Name of the Vulnerable Software and Affected Versions** Rack versions prior to 2.2.14, 3.0.16, and 3.1.14 **Description** Rack is a modular Ruby web server interface. The `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. **Recommendations** To resolve the issue, update to a version of Rack that limits the number of parameters parsed, such as version 2.2.14, 3.0.16, or 3.1.14. Alternatively, use middleware to enforce a maximum query string size or parameter count. Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.

**Name of the Vulnerable Software and Affected Versions** D-Tale versions prior to 3.16.1 **Description** D-Tale is a visualizer for pandas data structures. Users hosting D-Tale publicly can be vulnerable to remote code execution, allowing attackers to run malicious code on the server. The `update-settings` endpoint is involved, specifically the ability for users to update the `enable custom filters` flag. **Recommendations** For versions prior to 3.16.1, the only workaround is to host D-Tale only to trusted users. For all affected versions, users should upgrade to version 3.16.1, where the `update-settings` endpoint blocks the ability for users to update the `enable custom filters` flag.