GHSA-v6x5-cg8r-vv6x

Suggest an improvement
Source
https://github.com/advisories/GHSA-v6x5-cg8r-vv6x
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v6x5-cg8r-vv6x/GHSA-v6x5-cg8r-vv6x.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-v6x5-cg8r-vv6x
Aliases
  • CVE-2026-34827
Downstream
Related
Published
2026-04-02T20:30:12Z
Modified
2026-04-06T00:44:16.729190419Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
Details

Summary

Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing.

An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing.

This results in a denial of service condition in Rack applications that accept multipart form data.

Details

Rack::Multipart::Parser#handle_mime_head parses quoted parameter values by repeatedly:

  1. Searching for the next quote or backslash,
  2. Copying the preceding substring into a new buffer, and
  3. Removing the processed prefix from the original string with slice!.

An attacker can exploit this by sending a multipart request with many parts whose name parameters contain long escape-heavy values such as:

name="a\\a\\a\\a\\a\\..."

Under default Rack limits, a request can contain up to 4095 parts. If many of those parts use long quoted values with dense escape characters, the parser performs disproportionately expensive CPU work while remaining within normal request size and part-count limits.

Impact

Any Rack application that accepts multipart/form-data requests may be affected, including file upload endpoints and standard HTML form handlers.

An unauthenticated attacker can send crafted multipart requests that consume excessive CPU time during request parsing. Repeated requests can tie up application workers, reduce throughput, and degrade or deny service availability.

Mitigation

  • Update to a patched version of Rack that parses quoted multipart parameters without repeated rescanning and destructive prefix deletion.
  • Apply request throttling or rate limiting to multipart upload endpoints.
  • Where operationally feasible, restrict or isolate multipart parsing on untrusted high-volume endpoints.
Database specific 
{
    "nvd_published_at": "2026-04-02T18:16:33Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-400",
        "CWE-407",
        "CWE-770"
    ],
    "github_reviewed_at": "2026-04-02T20:30:12Z"
}
References

Affected packages

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.0.0.beta1
Fixed
3.1.21

Affected versions

3.*
3.0.0.beta1
3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.4.1
3.0.4.2
3.0.5
3.0.6
3.0.6.1
3.0.7
3.0.8
3.0.9
3.0.9.1
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
3.1.20

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v6x5-cg8r-vv6x/GHSA-v6x5-cg8r-vv6x.json"

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
3.2.0
Fixed
3.2.6

Affected versions

3.*
3.2.0
3.2.1
3.2.2
3.2.3
3.2.4
3.2.5

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-v6x5-cg8r-vv6x/GHSA-v6x5-cg8r-vv6x.json"