Rack Multipart Header Unfolding Vulnerability Leading to Header Injection

A vulnerability exists in Rack, a Ruby web server interface, in versions 3.2.0 prior to 3.2.6. The issue arises in the Rack::Multipart::Parser, which incorrectly unfolds folded multipart part headers by preserving embedded carriage return and line feed (CRLF) characters in parsed parameter values, such as filenames and names. This improper handling can lead to downstream header injection or response splitting when those values are reused in HTTP response headers. The vulnerability allows an attacker to exploit the CRLF preservation by injecting folded line breaks into multipart parameters, potentially causing cache poisoning or other response parsing issues.

Impact

Exploitation of this vulnerability could result in header injection or response splitting, allowing for manipulation of HTTP response headers and potentially causing related response parsing issues or cache poisoning.

Remediation

Users are advised to update to Rack version 3.2.6 or later, which addresses the vulnerability by correctly removing CRLF characters when unfolding folded multipart header values. Additionally, avoid directly copying multipart upload metadata, such as filenames, into HTTP response headers without proper sanitization. Where possible, normalize uploaded filenames before storing or reflecting them.