CVE-2026-34829
Published: 02 April 2026
Summary
CVE-2026-34829 is a high-severity Uncontrolled Resource Consumption (CWE-400) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 20.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely remediation of the Rack::Multipart::Parser flaw by patching to versions 2.2.23, 3.1.21, or 3.2.6 directly eliminates unbounded disk consumption from chunked multipart uploads.
Denial-of-service protection mechanisms limit the effects of resource exhaustion attacks like streaming arbitrarily large multipart file uploads lacking Content-Length headers.
Information input restrictions enforce size limits on multipart/form-data requests to prevent excessive temporary file creation and disk space exhaustion.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vulnerability in public-facing Rack multipart parser enables exploitation of web apps (T1190) to cause application resource exhaustion and DoS via unbounded disk writes (T1499.004).
NVD Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as…
more
with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Deeper analysisAI
Rack is a modular Ruby web server interface that provides a foundation for many Ruby web applications. CVE-2026-34829 affects the Rack::Multipart::Parser component in versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability arises because the parser only wraps the request body in a BoundedIO when a Content-Length header is present. For multipart/form-data requests sent without Content-Length—such as those using HTTP chunked transfer encoding—parsing continues until end-of-stream without any total size limit. File parts in these uploads are written directly to temporary files on disk, bypassing in-memory upload limits and enabling unbounded disk consumption.
An unauthenticated attacker with network access can exploit this issue with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H). By streaming an arbitrarily large multipart file upload to a vulnerable Rack application that accepts multipart form data, the attacker triggers excessive writing to temporary files, leading to disk space exhaustion and a denial-of-service condition.
The GitHub Security Advisory (GHSA-8vqr-qjwx-82mw) confirms the issue has been addressed in Rack versions 2.2.23, 3.1.21, and 3.2.6. Security practitioners should upgrade affected applications to these patched versions to mitigate the risk, associating the flaw with CWE-400 (Uncontrolled Resource Consumption) and CWE-770 (Allocation of Resources Without Limits or Throttling).
Details
- CWE(s)