CVE-2026-34831

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6

Description Rack’s Rack::Files#fail function incorrectly calculates the Content-Length response header using String#size instead of String#bytesize. This occurs when the response body contains multibyte UTF-8 characters, resulting in a declared Content-Length smaller than the actual number of bytes sent. An attacker can trigger this by requesting a non-existent path with percent-encoded UTF-8 characters, leading to incorrect HTTP response framing and potential response desynchronization. The Rack::Files component reflects the requested path in 404 responses, which contributes to the issue when handling requests with multibyte characters. This can cause inconsistencies in response parsing or desynchronization, particularly in deployments with keep-alive connections and intermediaries relying on the Content-Length header.

Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later.