Package Instance

Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
## Summary

`Rack::Multipart::Parser` extracts the `boundary` parameter from
`multipart/form-data` using a greedy regular expression. When a
`Content-Type` header contains multiple `boundary` parameters,
Rack selects the last one rather than the first.

In deployments where an upstream proxy, WAF, or intermediary
interprets the first `boundary` parameter, this mismatch can
allow an attacker to smuggle multipart content past upstream
inspection and have Rack parse a different body structure than
the intermediary validated.

## Details

Rack identifies the multipart boundary using logic equivalent to:

```ruby
MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
```

Because the expression is greedy, it matches the last `boundary=`
parameter in a header such as:

```http
Content-Type: multipart/form-data; boundary=safe; boundary=malicious
```

As a result, Rack parses the request body using `malicious`, while
another component may interpret the same header using `safe`.

This creates an interpretation conflict. If an upstream WAF or proxy
inspects multipart parts using the first boundary and Rack later
parses the body using the last boundary, a client may be able to
place malicious form fields or uploaded content in parts that Rack
accepts but the upstream component did not inspect as intended.

This issue is most relevant in layered deployments where security
decisions are made before the request reaches Rack.

## Impact

Applications that accept `multipart/form-data` uploads behind an
inspecting proxy or WAF may be affected.

In such deployments, an attacker may be able to bypass upstream
filtering of uploaded files or form fields by sending a request
with multiple `boundary` parameters and relying on the intermediary
and Rack to parse the request differently.

The practical impact depends on deployment architecture. If no
upstream component relies on a different multipart interpretation,
this behavior may not provide meaningful additional attacker capability.

## Mitigation

* Update to a patched version of Rack that rejects ambiguous multipart
  `Content-Type` headers or parses duplicate `boundary` parameters
  consistently.
* Reject requests containing multiple `boundary` parameters.
* Normalize or regenerate multipart metadata at the trusted edge
  before forwarding requests to Rack.
* Avoid relying on upstream inspection of malformed multipart
  requests unless duplicate parameter handling is explicitly
  consistent across components.

Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
## Summary

`Rack::Utils.select_best_encoding` processes `Accept-Encoding` values
with quadratic time complexity when the header contains many
wildcard (`*`) entries. Because this method is used by `Rack::Deflater`
to choose a response encoding, an unauthenticated attacker can send
a single request with a crafted `Accept-Encoding` header and cause
disproportionate CPU consumption on the compression middleware path.

This results in a denial of service condition for applications
using `Rack::Deflater`.

## Details

`Rack::Utils.select_best_encoding` expands parsed `Accept-Encoding`
values into a list of candidate encodings. When an entry is `*`,
the method computes the set of concrete encodings by subtracting
the encodings already present in the request:

```ruby
if m == "*"
  (available_encodings - accept_encoding.map(&:first)).each do |m2|
    expanded_accept_encoding << [m2, q, preference]
  end
else
  expanded_accept_encoding << [m, q, preference]
end
```

Because `accept_encoding.map(&:first)` is evaluated inside the loop,
it is recomputed for each wildcard entry. If the request contains
`N` wildcard entries, this produces repeated scans over the full
parsed header and causes quadratic behavior.

After expansion, the method also performs additional work over
`expanded_accept_encoding`, including per-entry deletion, which
further increases the cost for large inputs.

`Rack::Deflater` invokes this method for each request when the
middleware is enabled:

```ruby
Utils.select_best_encoding(ENCODINGS, Utils.parse_encodings(accept_encoding))
```

As a result, a client can trigger this expensive code path simply
by sending a large `Accept-Encoding` header containing many
repeated wildcard values.

For example, a request with an approximately 8 KB `Accept-Encoding`
header containing about 1,000 `*;q=0.5` entries can cause roughly
170 ms of CPU time in a single request on the `Rack::Deflater`
path, compared to a negligible baseline for a normal header.

This issue is distinct from CVE-2024-26146. That issue concerned
regular expression denial of service during `Accept` header parsing,
whereas this issue arises later during encoding selection after
the header has already been parsed.

## Impact

Any Rack application using `Rack::Deflater` may be affected.

An unauthenticated attacker can send requests with crafted
`Accept-Encoding` headers to trigger excessive CPU usage in the
encoding selection logic. Repeated requests can consume worker
time disproportionately and reduce application availability.

The attack does not require invalid HTTP syntax or large payload
bodies. A single header-sized request is sufficient to reach the
vulnerable code path.

## Mitigation

* Update to a patched version of Rack in which encoding selection
  does not repeatedly rescan the parsed header for wildcard entries.
* Avoid enabling `Rack::Deflater` on untrusted traffic.
* Apply request filtering or header size / format restrictions
  at the reverse proxy or application boundary to limit abusive
  `Accept-Encoding` values.

ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary

There is a denial of service vulnerability in the
Content-Disposition parsing component of Rack. This is very
similar to the previous security issue CVE-2022-44571.

### Details

Carefully crafted input can cause Content-Disposition header
parsing in Rack to take an unexpected amount of time, possibly
resulting in a denial of service attack vector. This header is
used typically used in multipart parsing. Any applications that
parse multipart posts using Rack (virtually all Rails applications)
are impacted.

### Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
this to the Rails security team

Rack has a Directory Traversal via Rack:Directory
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.

Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
## Summary

`Rack::Multipart::Parser` only wraps the request body in a `BoundedIO`
when `CONTENT_LENGTH` is present. When a `multipart/form-data` request
is sent without a `Content-Length` header, such as with HTTP chunked
transfer encoding, multipart parsing continues until end-of-stream
with no total size limit.

For file parts, the uploaded body is written directly to a temporary
file on disk rather than being constrained by the buffered in-memory
upload limit. An unauthenticated attacker can therefore stream an
arbitrarily large multipart file upload and consume unbounded disk space.

This results in a denial of service condition for Rack applications
that accept multipart form data.

## Details

`Rack::Multipart::Parser.parse` applies `BoundedIO` only when
`content_length` is not `nil`:

```ruby
io = BoundedIO.new(io, content_length) if content_length
```

When `CONTENT_LENGTH` is absent, the parser reads the multipart body
until EOF without a global byte limit.

Although Rack enforces `BUFFERED_UPLOAD_BYTESIZE_LIMIT` for retained
non-file parts, file uploads are handled differently. When a multipart
part includes a filename, the body is streamed to a `Tempfile`, and
the retained-size accounting is not applied to that file content.
As a result, file parts are not subject to the same upload size bound.

An attacker can exploit this by sending a chunked `multipart/form-data`
request containing a file part and continuously streaming data without
declaring a `Content-Length`. Rack will continue writing the uploaded
data to disk until the client stops or the server exhausts available storage.

## Impact

Any Rack application that accepts `multipart/form-data` uploads may be
affected if no upstream component enforces a request body size limit.

An unauthenticated attacker can send a large chunked file upload to
consume disk space on the application host. This may cause request
failures, application instability, or broader service disruption if
the host runs out of available storage.

The practical impact depends on deployment architecture. Reverse proxies
or application servers that enforce upload limits may reduce or eliminate
exploitability, but Rack itself does not impose a total multipart
upload limit in this code path when `CONTENT_LENGTH` is absent.

## Mitigation

* Update to a patched version of Rack that enforces a total multipart
  upload size limit even when `CONTENT_LENGTH` is absent.
* Enforce request body size limits at the reverse proxy or
  application server.
* Isolate temporary upload storage and monitor disk consumption
  for multipart endpoints.

Rack:: Static header_rules bypass via URL-encoded paths
## Summary

`Rack::Static#applicable_rules` evaluates several `header_rules`
types against the raw URL-encoded `PATH_INFO`, while the underlying
file-serving path is decoded before the file is served. As a result,
a request for a URL-encoded variant of a static path can serve
the same file without the headers that `header_rules` were intended to apply.

In deployments that rely on `Rack::Static` to attach security-relevant
response headers to static content, this can allow an attacker to
bypass those headers by requesting an encoded form of the path.

## Details

`Rack::Static#applicable_rules` matches rule types such as `:fonts`,
`Array`, and `Regexp` directly against the incoming `PATH_INFO`. For example:

```ruby
when :fonts
  /\.(?:ttf|otf|eot|woff2|woff|svg)\z/.match?(path)
when Array
  /\.(#{rule.join('|')})\z/.match?(path)
when Regexp
  rule.match?(path)
```

These checks operate on the raw request path. If the request contains
encoded characters such as `%2E` in place of `.`, the rule may fail
to match even though the file path is later decoded and served
successfully by the static file server.

For example, both of the following requests may resolve to the
same file on disk:

```text
/fonts/test.woff
/fonts/test%2Ewoff
```

but only the unencoded form may receive the headers configured
through `header_rules`.

This creates a canonicalization mismatch between the path used
for header policy decisions and the path ultimately used for file serving.

## Impact

Applications that rely on `Rack::Static` `header_rules` to apply
security-relevant headers to static files may be affected.

In affected deployments, an attacker can request an encoded
variant of a static file path and receive the same file without
the intended headers. Depending on how `header_rules` are used,
this may bypass protections such as clickjacking defenses, content
restrictions, or other response policies applied to static content.

The practical impact depends on the configured rules and the types
of files being served. If `header_rules` are only used for
non-security purposes such as caching, the issue may have limited
security significance.

## Mitigation

* Update to a patched version of Rack that applies `header_rules`
  to a decoded path consistently with static file resolution.
* Do not rely solely on `Rack::Static` `header_rules` for
  security-critical headers where encoded path variants may
  reach the application.
* Prefer setting security headers at the reverse proxy or web server
  layer so they apply consistently to both encoded and unencoded path forms.
* Normalize or reject encoded path variants for static content
  at the edge, where feasible.