Plattform
ruby
Komponente
rack
Behoben in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34831 affects the Ruby Rack library, specifically the Rack::Files#fail method. This vulnerability stems from an incorrect calculation of the Content-Length header when handling multibyte UTF-8 characters in response bodies. This can lead to response desynchronization in clients relying on the header, potentially causing parsing errors or unexpected behavior. Affected versions are Rack 2.2.9 and earlier; the vulnerability is resolved in version 2.2.23.
The core issue lies in the Rack::Files#fail method using String#size instead of String#bytesize to determine the Content-Length header. When a request includes a non-existent path containing percent-encoded UTF-8 characters, the declared Content-Length becomes smaller than the actual number of bytes transmitted. This discrepancy can cause problems for clients that rely on the Content-Length header for accurate data consumption. While not a direct remote code execution vulnerability, it can lead to denial-of-service conditions or unexpected application behavior if clients misinterpret the response. The impact is primarily client-side, but widespread deployments of Rack could be affected.
CVE-2026-34831 was publicly disclosed on 2026-04-02. There is no indication of active exploitation or KEV listing at the time of writing. Public proof-of-concept code is not widely available, suggesting a relatively low probability of immediate exploitation. The EPSS score is likely to be low, reflecting the limited public information and lack of observed exploitation.
Applications and services relying on the Ruby Rack library, particularly those that process user-supplied paths or handle internationalized content, are at risk. Shared hosting environments that bundle Rack with other software components are also potentially vulnerable, as are applications that heavily depend on accurate HTTP response framing for proper functionality.
• ruby / server:
gem list rack• ruby / server:
grep -r 'String#size' /path/to/rack/lib/• generic web:
curl -I https://example.com/path%E2%82%AC(Check Content-Length header against response body size) • generic web:
grep 'Content-Length' /var/log/apache2/access.log(Look for discrepancies between Content-Length and bytes transferred)
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation is to upgrade to Rack version 2.2.23 or later, which corrects the Content-Length calculation. If upgrading is not immediately feasible, consider implementing a reverse proxy or WAF that can normalize HTTP responses and ensure accurate Content-Length headers. Carefully review application code that relies on the Content-Length header for data integrity and consider adding validation or error handling to gracefully handle potentially truncated responses. There are no specific Sigma or YARA rules applicable to this vulnerability as it's a header calculation issue.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o superior, según corresponda a su versión actual. Esto corregirá la discrepancia en la longitud del contenido en las respuestas de error de Rack::Files.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34831 is a vulnerability in Ruby Rack where the Content-Length header is incorrectly calculated for multibyte UTF-8 characters, leading to response desynchronization.
You are affected if you are using Rack version 2.2.9 or earlier. Upgrade to 2.2.23 or later to mitigate the risk.
Upgrade to Rack version 2.2.23 or later. Consider using a reverse proxy or WAF to normalize HTTP responses as a temporary workaround.
There is currently no evidence of active exploitation of CVE-2026-34831, but it's important to apply the fix proactively.
Refer to the Ruby Rack project's website and security advisories for the latest information and updates regarding CVE-2026-34831.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.