CVE-2026-34829
Received Received - Intake
Unrestricted File Upload DoS in Rack Multipart Parser

Publication date: 2026-04-02

Last updated on: 2026-04-16

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-02
Last Modified
2026-04-16
Generated
2026-06-16
AI Q&A
2026-04-02
EPSS Evaluated
2026-06-14
NVD
CVE-2026-34829
EUVD
EUVD-2026-18388
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rack rack From 3.0.0 (inc) to 3.1.21 (exc)
rack rack From 3.2.0 (inc) to 3.2.6 (exc)
rack rack to 2.2.23 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-770 The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an unauthenticated attacker to cause a denial of service by exhausting disk space through unlimited multipart file uploads without a Content-Length header.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, denial of service conditions can impact availability requirements under these regulations.

Organizations subject to such regulations must ensure system availability and protect against resource exhaustion attacks, so this vulnerability could indirectly affect compliance if exploited and not mitigated.

Mitigations include updating to patched versions, enforcing upload size limits, isolating temporary storage, and monitoring disk usage, which help maintain compliance by preserving service availability.

Executive Summary

CVE-2026-34829 is a vulnerability in the Rack Ruby webserver interface, specifically in the multipart form-data parser (Rack::Multipart::Parser). When a multipart/form-data HTTP request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, Rack fails to limit the size of the input stream.

Because Rack does not wrap the request body in a size-limiting wrapper in this case, the parser reads the multipart body until the end-of-stream without any total size restriction. For file parts, the uploaded data is streamed directly to a temporary file on disk instead of being buffered in memory.

This allows an unauthenticated attacker to send an arbitrarily large file upload without specifying Content-Length, causing Rack to write unlimited data to disk until the client stops or the server runs out of storage.

This results in uncontrolled resource consumption and can lead to a denial of service (DoS) condition due to disk space exhaustion.

Impact Analysis

This vulnerability can be exploited by an unauthenticated attacker to consume unbounded disk space on a server running vulnerable versions of Rack.

By streaming an arbitrarily large multipart file upload without a Content-Length header, the attacker causes the server to write unlimited data to temporary files on disk.

This uncontrolled disk usage can exhaust server storage resources, leading to a denial of service (DoS) condition where the application or server becomes unavailable.

The severity is high with a CVSS v3 base score of 7.5, indicating a significant impact on availability without requiring authentication or user interaction.

Detection Guidance

This vulnerability can be detected by monitoring multipart/form-data HTTP requests that lack a Content-Length header and use chunked transfer encoding. Observing unusually large or unbounded file uploads to your Rack-based application endpoints may indicate exploitation attempts.

You can detect potential exploitation by checking for large temporary files being created in the system's temp directory associated with your Rack application.

Suggested commands to help detect this include:

  • Use network monitoring tools (e.g., tcpdump or Wireshark) to filter HTTP requests missing the Content-Length header and using chunked transfer encoding.
  • On the server, monitor disk usage and identify large or growing temporary files, for example using: `ls -lh /tmp` or `find /tmp -type f -mtime -1 -exec ls -lh {} \;` to find recent large files.
  • Use system monitoring commands like `du -sh /tmp/*` to check for unusually large files.
  • Check application logs for multipart/form-data requests without Content-Length headers.
Mitigation Strategies

The primary mitigation is to update your Rack library to one of the patched versions: 2.2.23, 3.1.21, or 3.2.6, which enforce a total multipart upload size limit even when the Content-Length header is absent.

Additional immediate steps include:

  • Enforce request body size limits at reverse proxies or application servers to prevent excessively large uploads.
  • Isolate temporary upload storage to a dedicated partition or directory with limited space to contain potential disk exhaustion.
  • Monitor disk usage on multipart endpoints closely to detect abnormal growth in temporary file storage.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34829. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart