CVE-2026-34827

Name of the Vulnerable Software and Affected Versions Rack versions 3.0.0.beta1 through 3.1.21 and versions 3.2.0 through 3.2.6

Description Rack’s Rack::Multipart::Parser#handle mime head function parses quoted multipart parameters using repeated String#index searches and String#slice! operations. This can lead to super-linear processing when handling escape-heavy quoted values. An unauthenticated attacker can send a crafted multipart/form-data request with numerous parts containing long, backslash-escaped parameter values to cause excessive CPU usage during multipart parsing, resulting in a denial of service. The vulnerability lies in how the parser handles the Content-Disposition header, specifically the name attribute within multipart/form-data requests. The repeated searching and slicing operations become computationally expensive with heavily escaped strings. The issue affects Rack applications that accept multipart form data. An attacker can exploit this by sending a request with many parts, each containing a name parameter with a long string of backslash-escaped characters. This causes the parser to perform a disproportionate amount of CPU work, potentially leading to service degradation or denial of service.

Recommendations Update to Rack version 3.1.21 or 3.2.6 or later.