CVE-2026-34829
Unrestricted File Upload DoS in Rack Multipart Parser
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.0.0 (inc) to 3.1.21 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
| rack | rack | to 2.2.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-400 | The product does not properly control the allocation and maintenance of a limited resource. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34829 is a vulnerability in the Rack Ruby webserver interface, specifically in the multipart form-data parser (Rack::Multipart::Parser). When a multipart/form-data HTTP request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, Rack fails to limit the size of the input stream.
Because Rack does not wrap the request body in a size-limiting wrapper in this case, the parser reads the multipart body until the end-of-stream without any total size restriction. For file parts, the uploaded data is streamed directly to a temporary file on disk instead of being buffered in memory.
This allows an unauthenticated attacker to send an arbitrarily large file upload without specifying Content-Length, causing Rack to write unlimited data to disk until the client stops or the server runs out of storage.
This results in uncontrolled resource consumption and can lead to a denial of service (DoS) condition due to disk space exhaustion.
How can this vulnerability impact me? :
This vulnerability can be exploited by an unauthenticated attacker to consume unbounded disk space on a server running vulnerable versions of Rack.
By streaming an arbitrarily large multipart file upload without a Content-Length header, the attacker causes the server to write unlimited data to temporary files on disk.
This uncontrolled disk usage can exhaust server storage resources, leading to a denial of service (DoS) condition where the application or server becomes unavailable.
The severity is high with a CVSS v3 base score of 7.5, indicating a significant impact on availability without requiring authentication or user interaction.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring multipart/form-data HTTP requests that lack a Content-Length header and use chunked transfer encoding. Observing unusually large or unbounded file uploads to your Rack-based application endpoints may indicate exploitation attempts.
You can detect potential exploitation by checking for large temporary files being created in the system's temp directory associated with your Rack application.
Suggested commands to help detect this include:
- Use network monitoring tools (e.g., tcpdump or Wireshark) to filter HTTP requests missing the Content-Length header and using chunked transfer encoding.
- On the server, monitor disk usage and identify large or growing temporary files, for example using: `ls -lh /tmp` or `find /tmp -type f -mtime -1 -exec ls -lh {} \;` to find recent large files.
- Use system monitoring commands like `du -sh /tmp/*` to check for unusually large files.
- Check application logs for multipart/form-data requests without Content-Length headers.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation is to update your Rack library to one of the patched versions: 2.2.23, 3.1.21, or 3.2.6, which enforce a total multipart upload size limit even when the Content-Length header is absent.
Additional immediate steps include:
- Enforce request body size limits at reverse proxies or application servers to prevent excessively large uploads.
- Isolate temporary upload storage to a dedicated partition or directory with limited space to contain potential disk exhaustion.
- Monitor disk usage on multipart endpoints closely to detect abnormal growth in temporary file storage.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an unauthenticated attacker to cause a denial of service by exhausting disk space through unlimited multipart file uploads without a Content-Length header.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service conditions can impact availability requirements under these regulations.
Organizations subject to such regulations must ensure system availability and protect against resource exhaustion attacks, so this vulnerability could indirectly affect compliance if exploited and not mitigated.
Mitigations include updating to patched versions, enforcing upload size limits, isolating temporary storage, and monitoring disk usage, which help maintain compliance by preserving service availability.