Executive Summary

This vulnerability exists in the Ruby Rack library's Rack::Files component, where the Content-Length HTTP response header is incorrectly calculated during error responses.

Specifically, Rack::Files#fail uses String#size (which counts characters) instead of String#bytesize (which counts bytes) to set the Content-Length header. When the response body contains multibyte UTF-8 characters, the number of bytes is greater than the number of characters, causing the declared Content-Length to be smaller than the actual number of bytes sent.

Because Rack::Files reflects the requested path in 404 error responses, an attacker can exploit this by requesting a non-existent path with percent-encoded UTF-8 multibyte characters. This causes the response body to contain multibyte characters and the Content-Length header to be incorrect.

This mismatch violates HTTP message framing requirements and can lead to response desynchronization and parsing inconsistencies, especially in environments using keep-alive connections or intermediaries relying on Content-Length for framing.

Useful 0 Not Useful 0

Compliance Impact

The provided information does not explicitly address how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Useful 0 Not Useful 0

Impact Analysis

The vulnerability can cause incorrect HTTP response framing due to the mismatch between the declared Content-Length and the actual bytes sent.

This may lead to response desynchronization and parsing errors in clients or intermediaries such as proxies that rely on the Content-Length header to determine message boundaries.

Such desynchronization can cause protocol errors or unexpected behavior in applications, potentially affecting confidentiality and integrity at a low level, but it does not directly cause availability issues.

The attack complexity is high and no privileges or user interaction are required, meaning an attacker can exploit this remotely by sending crafted requests.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by observing HTTP 404 responses from Rack::Files that contain percent-encoded UTF-8 multibyte characters in the requested path. Specifically, you can look for a mismatch between the Content-Length header value and the actual byte length of the response body.

One approach is to send crafted HTTP requests with non-existent paths containing percent-encoded multibyte UTF-8 characters and then analyze the Content-Length header versus the actual response size.

For example, you can use curl or similar tools to send such requests and inspect the headers and response body size.

• curl -i -X GET 'http://yourserver/nonexistent/%E2%82%AC' # Request a non-existent path with percent-encoded UTF-8 character
• Compare the Content-Length header value with the actual byte length of the response body. If Content-Length is smaller than the actual bytes sent, the vulnerability may be present.

Network monitoring tools or proxies that log HTTP headers and response sizes can also help detect discrepancies indicative of this vulnerability.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to update Rack to a patched version: 2.2.23, 3.1.21, 3.2.6, or later, where the Content-Length header is correctly calculated using String#bytesize.

Until you can update, avoid exposing Rack::Files directly to untrusted traffic.

Place Rack behind proxies or servers that normalize or reject malformed backend responses to prevent response framing anomalies.

Prefer closing backend connections on error paths to avoid issues caused by incorrect Content-Length headers.

Useful 0 Not Useful 0