Rack Query Parser Parameter Limit Bypass Vulnerability Allowing Denial-of-Service

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, prior to version 2.2.18. The issue arises in Rack::QueryParser, which improperly enforces the parameter limit. The parser splits parameters using both '&' and ';' separators but only counts '&' when applying the limit. This discrepancy allows attackers to use ';' to bypass the parameter count restriction, potentially leading to increased CPU and memory usage. Applications or middleware that use Rack::QueryParser with the default settings may be vulnerable to this issue.

Impact

Exploitation of this vulnerability can cause excessive CPU and memory consumption, leading to a limited denial-of-service condition.

Reproduction

To reproduce this vulnerability, use Rack::QueryParser with the default separator configuration. Submit a query string that includes parameters separated by semicolons, exceeding the usual parameter limit. The parser will incorrectly process the query, bypassing the limit and allowing more parameters than intended. This can be automated with a script or tool that sends HTTP requests to a Rack application, using semicolons to separate query parameters.

Remediation

Upgrade to Rack version 2.2.18 or later, where this vulnerability has been patched. If an immediate upgrade is not possible, configure Rack::QueryParser to use an explicit delimiter, such as '&', to ensure proper parameter counting. As a general precaution, consider enforcing query string and request size limits at the web server or proxy level to mitigate potential parsing overhead.