CVE-2022-30122

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.0.9.1 Rack versions prior to 2.1.4.1 Rack versions prior to 2.2.3.1

Description A possible denial of service vulnerability exists in the multipart parsing component of Rack. This issue is related to insufficient checking of user-input data when parsing composite POST requests. Exploitation of this vulnerability may allow a remote attacker to perform a denial of service (DoS) attack using a specially crafted POST request. The vulnerability can be triggered by carefully crafted multipart POST requests, causing Rack's multipart parser to take longer than expected.

Recommendations For Rack versions prior to 2.0.9.1, upgrade to version 2.0.9.1 or later. For Rack versions prior to 2.1.4.1, upgrade to version 2.1.4.1 or later. For Rack versions prior to 2.2.3.1, upgrade to version 2.2.3.1 or later. As a temporary workaround, consider restricting the use of the Rack::Multipart.parse multipart function until a patch is available. Avoid using the request.POST and request.params methods to read POST data from a Rack request object until the issue is resolved.