CVE-2026-34829

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6

Description Rack's Rack::Multipart::Parser does not limit the size of multipart uploads when a Content-Length header is not present, such as with HTTP chunked transfer encoding. Specifically, when processing multipart/form-data requests without a Content-Length header, the parser continues reading until the end of the stream without a size limit. For file parts, the uploaded data is written directly to a temporary file without being constrained by the in-memory upload limit. This allows an unauthenticated attacker to stream an arbitrarily large file upload, potentially consuming unbounded disk space and causing a denial of service. The parser applies BoundedIO only when content length is not nil:

io = BoundedIO.new(io, content length) if content length

Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later.