Rack Denial-of-Service Vulnerability via Wildcard Accept-Encoding Header

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, in versions prior to 2.2.23, 3.0.0 through 3.1.21, and 3.2.0 through 3.2.6. The issue arises in the `Rack::Utils.select_best_encoding` method, which processes `Accept-Encoding` headers with quadratic time complexity when many wildcard entries are present. This method is used by `Rack::Deflater` to select response encodings. An unauthenticated attacker can exploit this by sending a request with a crafted `Accept-Encoding` header, causing excessive CPU usage on the compression middleware path. This leads to a denial-of-service condition for applications using `Rack::Deflater`.

Impact

Exploitation of this vulnerability causes excessive CPU consumption, leading to a denial-of-service condition. This can disrupt application performance and availability, particularly under repeated attack.

Reproduction

To reproduce this vulnerability, send a request with an `Accept-Encoding` header that includes a large number of wildcard entries, approximately 1,000 `*;q=0.5` entries in an 8 KB header. This will trigger the vulnerable `select_best_encoding` method in `Rack::Deflater`, causing significant CPU time consumption compared to a normal header.

Remediation

Users can update to Rack versions 2.2.23, 3.1.21, or 3.2.6, where this vulnerability has been patched. It is also advisable to avoid enabling `Rack::Deflater` on untrusted traffic and to apply request filtering or header size restrictions at the reverse proxy or application boundary to limit problematic `Accept-Encoding` values.