CVE-2026-34827

EPSS 0.02%
Veröffentlicht 02.04.2026 17:07:48
Zuletzt bearbeitet 24.04.2026 12:47:32
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 3 Referenzen 4

NVD 2 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rack ≫ Rack SwPlatformruby Version >= 3.0.0 < 3.1.21

Rack ≫ Rack SwPlatformruby Version >= 3.2.0 < 3.2.6

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.02%	0.061

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-407 Inefficient Algorithmic Complexity

An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2026-34827

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-34827

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-34827

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-34827