CVE-2026-34230
Quadratic DoS Vulnerability in Rack::Deflater Compression Module
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.0.0 (inc) to 3.1.21 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
| rack | rack | to 2.2.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-407 | An algorithm in a product has an inefficient worst-case computational complexity that may be detrimental to system performance and can be triggered by an attacker, typically using crafted manipulations that ensure that the worst case is being reached. |
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability described in CVE-2026-34230 causes a denial of service condition by allowing an unauthenticated attacker to cause excessive CPU consumption in applications using Rack::Deflater. However, it does not impact confidentiality or integrity of data.
Since the vulnerability affects availability only and does not lead to unauthorized access or data leakage, it does not directly affect compliance with data protection regulations such as GDPR or HIPAA, which primarily focus on confidentiality and integrity of personal or sensitive data.
Nevertheless, prolonged denial of service could indirectly affect compliance if it disrupts availability requirements mandated by certain standards, but no explicit compliance impact is detailed in the provided information.
Can you explain this vulnerability to me?
CVE-2026-34230 is a vulnerability in the Ruby Rack library, specifically in the method Rack::Utils.select_best_encoding, which is used by the Rack::Deflater middleware to select the best response encoding based on the Accept-Encoding HTTP header.
The vulnerability occurs when the Accept-Encoding header contains many wildcard (*) entries, causing the method to process these entries with quadratic time complexity. This happens because the method repeatedly rescans the parsed header for each wildcard entry, leading to excessive CPU consumption.
An unauthenticated attacker can exploit this by sending a single HTTP request with a crafted Accept-Encoding header containing many repeated wildcard entries, which causes disproportionate CPU usage on the compression middleware path, resulting in a denial of service condition for applications using Rack::Deflater.
How can this vulnerability impact me? :
This vulnerability can impact you by causing a denial of service (DoS) condition in applications using Rack::Deflater middleware.
An attacker can send a single crafted HTTP request with many wildcard entries in the Accept-Encoding header, which leads to excessive CPU consumption due to the inefficient processing of these headers.
This high CPU usage can exhaust worker threads, reduce application availability, and degrade performance without requiring any special privileges or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for HTTP requests containing unusually large or crafted Accept-Encoding headers with many wildcard (*) entries. Such requests may cause disproportionate CPU consumption on systems using Rack::Deflater middleware.
To detect potential exploitation attempts, you can inspect incoming HTTP requests for large Accept-Encoding headers with repeated wildcard entries.
- Use network packet capture tools like tcpdump or Wireshark to filter HTTP headers containing many '*' entries in Accept-Encoding.
- Example tcpdump command to capture HTTP traffic: tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -i 'Accept-Encoding'
- Use web server or application logs to search for requests with large or suspicious Accept-Encoding headers, e.g., using grep: grep -i 'Accept-Encoding:.*\*' access.log
Monitoring CPU usage spikes correlated with requests containing large Accept-Encoding headers can also help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading the Rack library to a patched version where this vulnerability is fixed. The patched versions are 2.2.23, 3.1.21, and 3.2.6.
If upgrading immediately is not possible, consider disabling the Rack::Deflater middleware on untrusted traffic to prevent exploitation.
Implement request filtering or impose restrictions on the size and format of Accept-Encoding headers at reverse proxies or application boundaries to limit abusive headers.