Rack Content-Length Mismatch Vulnerability in Rack::Files Error Responses

A vulnerability exists in Rack, a Ruby web server interface, in versions prior to 2.2.23, 3.1.21, and 3.2.6. The issue arises in the Rack::Files component, where the Content-Length response header is set using String#size instead of String#bytesize. This discrepancy can lead to incorrect HTTP response framing, particularly when the response body includes multibyte UTF-8 characters. An attacker can exploit this by requesting a non-existent path with percent-encoded UTF-8 characters, causing the declared Content-Length to underestimate the actual byte count sent. This mismatch may disrupt response synchronization in environments that depend on the accurate Content-Length value.

Impact

The vulnerability can cause applications using Rack::Files to send improperly framed error responses for requests involving non-existent paths with multibyte characters. This misframing can lead to response parsing errors or desynchronization, especially in scenarios with keep-alive connections and intermediaries that rely on Content-Length. Even in the absence of secondary exploitation, the malformed response may trigger protocol errors in strict components.

Remediation

Users are advised to update to Rack versions 2.2.23, 3.1.21, or 3.2.6, which correctly calculate the Content-Length using String#bytesize. If an immediate update is not possible, consider avoiding direct exposure of Rack::Files to untrusted traffic, and where feasible, place Rack behind a proxy or server that can normalize or reject malformed responses. Additionally, prefer to close backend connections on error paths if there are concerns about response framing.