Rack Query Parameter Parsing Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, in versions prior to 2.2.14, 3.0.16, and 3.1.14. The issue arises in `Rack::QueryParser`, which processes query strings and `application/x-www-form-urlencoded` bodies without limiting the number of parameters. This lack of restriction allows attackers to send requests with an excessive number of parameters, potentially in the hundreds of thousands, leading to memory exhaustion or high CPU usage. Such resource consumption can stall or crash the Rack server, causing a complete service disruption until the affected worker is restarted.

Impact

Exploitation of this vulnerability can cause memory exhaustion or high CPU usage, leading to a denial-of-service condition where the Rack server becomes unresponsive or crashes, disrupting service until the affected worker is manually restarted.

Reproduction

The vulnerability can be reproduced by sending an HTTP request to a Rack server that includes an extremely high number of query parameters or form data fields. This can be done using a tool or script that automates the process of generating and sending such requests, effectively overwhelming the server's resource handling capabilities.

Remediation

Users can update to Rack versions 2.2.14, 3.0.16, or 3.1.14, all of which address this vulnerability by introducing parameter limits. Additionally, for those who require higher limits, the new default limits can be overridden on a per-`Rack::QueryParser` basis. Instructions for this can be found in the `Rack` README.