Rack Denial-of-Service Vulnerability via Multipart Parameter Parsing

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, affecting versions 3.0.0.beta1 prior to 3.1.21, and 3.2.0 prior to 3.2.6. The issue arises in the `Rack::Multipart::Parser#handle_mime_head` method, which processes quoted multipart parameters by using repeated string searches and prefix deletion. This approach can lead to super-linear processing, especially with escape-heavy quoted values. An unauthenticated attacker can exploit this by sending a multipart/form-data request with numerous parts containing long backslash-escaped parameter values, causing excessive CPU usage during parsing. This vulnerability impacts Rack applications that handle multipart form data, such as file uploads and standard HTML form processing.

Impact

Exploitation of this vulnerability leads to excessive CPU consumption during multipart request parsing, causing a denial-of-service condition. This can disrupt application performance by tying up workers, reducing throughput, and degrading service availability.

Reproduction

To reproduce this vulnerability, send a multipart/form-data request containing a high number of parts, each with long quoted 'name' parameters that include dense backslash-escaped values. Under default Rack limits, a request can have up to 4095 parts. The parser will handle these escape-heavy values in a super-linear manner, causing significant CPU load while staying within normal size and part-count limits.

Remediation

Users are advised to update Rack to version 3.1.21 or 3.2.6, both of which address the vulnerability by improving the parsing of quoted multipart parameters. Additionally, consider applying request throttling or rate limiting on multipart upload endpoints, and restrict or isolate multipart parsing on untrusted high-volume endpoints where feasible.