Rack Multipart Parsing Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in Rack, a Ruby web server interface, in versions prior to 2.2.23, 3.1.21, and 3.2.6. The issue arises in the `Rack::Multipart::Parser`, which only wraps the request body in a `BoundedIO` when the `CONTENT_LENGTH` header is present. Without this header, such as in HTTP chunked transfer encoding, the parser reads the multipart body until the end of the stream, without any size limit. This allows an unauthenticated attacker to upload large files through multipart form data, directly to temporary files on disk, bypassing the in-memory upload limit. The result is unbounded disk usage, potentially leading to application failures or service disruptions.

Impact

Exploitation of this vulnerability allows for unbounded disk space consumption, causing denial-of-service conditions in Rack applications that handle multipart form data. The lack of a total upload limit can lead to request failures, application instability, or broader service disruptions if the host runs out of storage.

Reproduction

To reproduce this vulnerability, send a `multipart/form-data` request without a `Content-Length` header, using HTTP chunked transfer encoding. The `Rack::Multipart::Parser` will process the upload without size restrictions, streaming the data directly to a temporary file on disk. Continue the upload to exhaust available storage on the server.

Remediation

Users can update to Rack versions 2.2.23, 3.1.21, or 3.2.6, which include the patch for this vulnerability. Additionally, request body size limits can be enforced at the reverse proxy or application server level, and temporary upload storage should be isolated and monitored for disk usage on multipart endpoints.