Rack Unbounded Multipart Preamble Buffering Vulnerability Allows Denial-of-Service

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, in versions prior to 2.2.19, 3.1.17, and 3.2.2. The issue arises in the `Rack::Multipart::Parser`, which buffers the entire multipart preamble (the bytes before the first boundary) in memory without any size limit. This flaw allows remote attackers to send large preambles in multipart/form-data requests, leading to significant memory consumption and potential process termination due to out-of-memory conditions. The vulnerability can cause worker crashes or severe slowdowns because of garbage collection, especially when allowed request sizes and concurrency are high.

Impact

Exploitation of this vulnerability can cause large, temporary memory spikes, potentially leading to process termination due to out-of-memory conditions.

Reproduction

The vulnerability can be reproduced by sending a multipart/form-data request with a preamble that exceeds the default buffer size of 1MB. The `Rack::Multipart::Parser` will buffer the excessive data in memory, which can be verified by monitoring the application's memory usage. Once the memory limit is reached, the process may be terminated, causing a denial-of-service condition.

Remediation

Users can upgrade to Rack versions 2.2.19, 3.1.17, or 3.2.2, which address the vulnerability by enforcing a preamble size limit or discarding preamble data entirely. Additionally, total request body size can be limited at the proxy or web server level, and memory usage can be monitored with per-process limits set to prevent out-of-memory conditions.