PatchSiren

rack CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH rack CVE published 2026-04-02

CVE-2026-34827

CVE-2026-34827 is a denial of service vulnerability in Rack's multipart parsing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. The vulnerability affects Ra [truncated]

HIGH rack CVE published 2026-04-02

CVE-2026-34829

CVE-2026-34829 is a high-severity vulnerability in Rack, a modular Ruby web server interface. The vulnerability exists in Rack::Multipart::Parser, which fails to limit the size of multipart/form-data requests when the Content-Length header is absent, such as with HTTP chunked transfer encoding. This allows an unauthenticated attacker to stream large files and consume unbounded disk space, resulting in a d [truncated]

HIGH rack CVE published 2026-04-02

CVE-2026-34785

CVE-2026-34785 is a high-severity vulnerability in Rack, a modular Ruby web server interface. The issue lies in Rack::Static's handling of static files, where a simple string prefix check is used to determine if a request should be served as a static file. This check can be bypassed with URL prefixes like '/css', allowing files under the static root to be served unintentionally if their names share the co [truncated]