Rack Unbounded Read Vulnerability in POST Request Handling Allows Denial-of-Service

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, prior to versions 2.2.20, 3.1.18, and 3.2.3. The issue arises because `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded` without enforcing a length limit. This unbounded read can lead to memory exhaustion, as large request bodies are fully buffered into process memory before being parsed. The vulnerability can be exploited by sending large URL-encoded bodies, causing significant memory consumption and potentially leading to the process being terminated by the operating system.

Impact

Exploitation of this vulnerability causes memory exhaustion, leading to process slowdowns or termination by the operating system due to out-of-memory conditions. The impact scales with the size of the request and the level of concurrency.

Reproduction

The vulnerability can be reproduced by sending a POST request with a large `application/x-www-form-urlencoded` body to a Rack application that does not have an upstream body-size limit. This can be done using tools like curl or Postman, or by writing a script that sends such a request. After the request is sent, the application should be observed for signs of memory exhaustion or termination.

Remediation

Users should upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, all of which address the vulnerability by enforcing form parameter limits and preventing unbounded reads of URL-encoded bodies. Additionally, strict maximum body sizes should be enforced at the proxy or web server level, using directives like Nginx's `client_max_body_size` or Apache's `LimitRequestBody`.