Rack Unbounded Header Buffering Vulnerability in Multipart Parser Allows Denial-of-Service

A denial-of-service vulnerability has been identified in the Rack library, specifically within the `Rack::Multipart::Parser` component. This issue is present in versions prior to 2.2.19, 3.1.17, and 3.2.2. The vulnerability arises because the parser can accumulate an unlimited amount of data when a multipart part's header block fails to end with the necessary blank line. As a result, the parser continuously adds incoming bytes to memory without any size limitation. This flaw enables remote attackers to exhaust memory resources, causing process termination or significant slowdowns. The impact of this vulnerability scales with request size limits and concurrency, affecting all applications that manage multipart uploads.

Impact

Exploitation of this vulnerability leads to high memory usage, causing processes to terminate due to out-of-memory conditions or to slow down severely. This vulnerability's effects can be exacerbated by concurrent requests and larger-than-usual multipart data.

Reproduction

To reproduce this vulnerability, send a multipart request with incomplete headers that do not terminate properly. The `Rack::Multipart::Parser` will continue to buffer the data in memory, potentially leading to high memory consumption and process termination.

Remediation

Upgrade to Rack versions 2.2.19, 3.1.17, or 3.2.2, which include patches for this vulnerability. If an immediate upgrade is not possible, consider restricting maximum request sizes at the proxy or web server level, such as using the `client_max_body_size` directive in Nginx.