PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-34829 rack CVE debrief

CVE-2026-34829 is a high-severity vulnerability in Rack, a modular Ruby web server interface. The vulnerability exists in Rack::Multipart::Parser, which fails to limit the size of multipart/form-data requests when the Content-Length header is absent, such as with HTTP chunked transfer encoding. This allows an unauthenticated attacker to stream large files and consume unbounded disk space, resulting in a denial of service condition for Rack applications that accept multipart form data. The issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6. Users are advised to upgrade to these versions to mitigate the vulnerability.

Vendor
rack
Product
Unknown
CVSS
HIGH 7.5
CISA KEV
Not listed in stored evidence
Original CVE published
2026-04-02
Original CVE updated
2026-06-30
Advisory published
2026-04-02
Advisory updated
2026-06-30

Who should care

Developers and administrators using Rack applications that accept multipart form data should be aware of this vulnerability. This includes users of Ruby on Rails, as Rack is a dependency. The vulnerability can be exploited by an unauthenticated attacker, making it a significant concern for applications exposed to the internet.

Technical summary

The vulnerability in Rack::Multipart::Parser allows for unbounded disk space consumption during multipart file uploads when the Content-Length header is missing. This is because the parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. For file parts, the uploaded body is written directly to a temporary file on disk without being constrained by an in-memory upload limit. An attacker can exploit this by streaming an arbitrarily large multipart file upload.

Defensive priority

High priority should be given to upgrading Rack to versions 2.2.23, 3.1.21, or 3.2.6. In the meantime, consider implementing compensating controls such as monitoring for large file uploads and setting limits on upload sizes.

Recommended defensive actions

  • Upgrade Rack to version 2.2.23, 3.1.21, or 3.2.6.
  • Implement monitoring for large file uploads.
  • Set limits on upload sizes as a compensating control.
  • Review application code for insecure direct object references.
  • Perform regular security audits and vulnerability assessments.

Evidence notes

The CVE record and NVD detail provide comprehensive information about the vulnerability. The vendor advisory on GitHub and Red Hat's security advisories offer additional context and mitigation strategies.

Official resources

This article is AI-assisted and based on the supplied source corpus.