Rack Multipart Parser Denial-of-Service Vulnerability via Unbounded Memory Buffers

A denial-of-service vulnerability has been identified in the Rack web server interface for Ruby. In versions prior to 2.2.19, 3.1.17, and 3.2.2, the `Rack::Multipart::Parser` component improperly handles non-file form fields in multipart requests. These fields are stored entirely in memory as Ruby `String` objects, without any size limit. This can lead to excessive memory consumption, out-of-memory conditions, and process crashes. The vulnerability can be exploited by sending large text fields in multipart/form-data requests, causing significant memory exhaustion, especially under concurrent processing.

Impact

The vulnerability can be exploited to cause memory exhaustion, leading to out-of-memory conditions, worker process crashes, or severe garbage collection overhead.

Reproduction

To reproduce this vulnerability, send a multipart/form-data request containing a large non-file text field, such as one hundreds of megabytes or more. The request will be processed by the `Rack::Multipart::Parser`, which will buffer the large field entirely in memory, causing excessive memory usage. This can be done using a tool or script that allows for the manipulation of HTTP request bodies, such as curl or a custom Ruby script.

Remediation

Users can upgrade to Rack versions 2.2.19, 3.1.17, or 3.2.2, which include a cap on the size of non-file fields in multipart requests. Alternatively, Nginx can be configured to restrict the maximum request body size, and applications can be updated to validate and reject unusually large form fields.