{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34827", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-30T20:52:53.283Z", "datePublished": "2026-04-02T17:07:48.279Z", "dateUpdated": "2026-04-02T17:07:48.279Z"}, "containers": {"cna": {"title": "Rack: Algorithmic-Complexity DoS in Rack::Multipart::Parser", "problemTypes": [{"descriptions": [{"cweId": "CWE-407", "lang": "en", "description": "CWE-407: Inefficient Algorithmic Complexity", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-400", "lang": "en", "description": "CWE-400: Uncontrolled Resource Consumption", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-770", "lang": "en", "description": "CWE-770: Allocation of Resources Without Limits or Throttling", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x"}], "affected": [{"vendor": "rack", "product": "rack", "versions": [{"version": ">= 3.0.0.beta1, < 3.1.21", "status": "affected"}, {"version": ">= 3.2.0, < 3.2.6", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-02T17:07:48.279Z"}, "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name=\"...\" using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6."}], "source": {"advisory": "GHSA-v6x5-cg8r-vv6x", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name=\"...\" using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6."}], "id": "CVE-2026-34827", "lastModified": "2026-04-02T18:16:33.490", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-02T18:16:33.490", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-407"}, {"lang": "en", "value": "CWE-770"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[3.0.0.beta1,3.1.21)"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[3.2.0,3.2.6)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "rack", "source": "cna", "vendor": "rack"}, "product": "rack", "vendor": "rack"}], "analysis": {"en": {"generated_at": "2026-04-02T22:34:24.198963+00:00", "value": {"mitigation_remediation": ["Upgrade Rack to version 3.1.21 or later, which includes the fix for this denial of service.", "Verify that your application is using the updated Rack gem and that no older, vulnerable code remains."], "summary": {"action": "Apply Patch", "impact": "Denial of Service through excessive CPU consumption"}, "threat_synthesis": {"affected_systems": "The affected product is Rack, spanning versions from 3.0.0.beta1 up to just before 3.1.21, and from 3.2.0 up to just before 3.2.6. Ruby applications that rely on any of these vulnerable releases are susceptible to the denial\u2011of\u2011service condition unless they have been upgraded beyond these version ranges.", "description_and_impact": "Rack, a modular Ruby web server interface, has a flaw in its multipart form data parser that allows an attacker to trigger extreme CPU usage. The vulnerability originates from repeated string search operations performed on quoted multipart parameters, creating a super\u2011linear processing time when many backslash\u2011escaped values are present. By sending a crafted multipart/form\u2011data request containing numerous parts with long escape\u2011heavy values, an unauthenticated attacker can force the parser to consume disproportionate CPU resources, effectively denying service to legitimate users.", "risk_and_exploitability": "The CVSS score of 7.5 reflects a high severity, though no EPSS data is available and the issue is not listed in the CISA KEV catalog. The attack vector is remote and unauthenticated, requiring only the ability to send HTTP requests. Successful exploitation does not reveal or corrupt data but can severely degrade application availability by monopolizing CPU resources. In the absence of publicly released exploit code, the risk is primarily determined by the presence of vulnerable Rack versions and the exposure of the application to the Internet."}}}}, "created": "2026-04-03T07:32:26.255924+00:00", "updated": "2026-04-03T09:18:14.508103+00:00", "vendors": ["rack", "rack$PRODUCT$rack"]}