What versions of Rack are affected by these vulnerabilities?

Versions of Rack prior to 2.2.18 and 3.1.21 are affected by these vulnerabilities. It's crucial to update to the latest version to mitigate the risks.

How can I check if my application is using a vulnerable version of Rack?

You can use `gem list rack` to check the installed version. #SITE_NAME# can also automatically scan your project dependencies to identify vulnerable components.

Are there any workarounds if I can't immediately update Rack?

Several workarounds are suggested in the vulnerability descriptions, such as configuring explicit delimiters, implementing atomic session invalidation, and enforcing request size limits at the proxy level.

What is the impact of these vulnerabilities if left unpatched?

The impact ranges from denial-of-service conditions and information disclosure to potential session hijacking and header injection, depending on the specific vulnerability and deployment configuration.

Critical Vulnerabilities in Rack: Parameter Bypass, Session Restoration, and More

Several critical vulnerabilities have been identified in Rack, a core component for Ruby web applications. These vulnerabilities range from parameter bypass and session restoration issues to header injection and denial-of-service risks. Patches are now available, and immediate action is recommended to mitigate potential exploitation.

The CVSS scores for these vulnerabilities range from 4.2 to 7.5, indicating a range of moderate to high severity, reflecting the potential impact and exploitability.

What is Rack?

Rack is a modular Ruby web server interface. It provides a clean and consistent way for web applications to interact with various web servers and frameworks. Rack applications are built as a stack of middleware components that process HTTP requests and responses. It's a fundamental building block for many Ruby web applications, including Ruby on Rails.

Rack: Query Parameter Bypass

CVSS7.5

Affected versionsApplications using Rack versions prior to 2.2.18 are affected. This primarily impacts edge cases where `QueryParser` is used directly, not typical Rack applications using `Rack::Request`.

High severity due to potential denial-of-service.

Rack's `QueryParser` incorrectly enforces its `params_limit` only for parameters separated by '&', allowing attackers to bypass the limit using semicolons. This enables submission of more parameters than intended.

How to fix CVE-2025-59830 in Rack

Patch immediately

1.Update Rack to version 2.2.18 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Configure `QueryParser` with an explicit delimiter (e.g., '&') or enforce query string limits at the web server level.

NextGuard automatically flags CVE-2025-59830 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Session Restoration After Deletion

CVSS4.2

Affected versionsApplications using `Rack::Session::Pool` with versions prior to 2.2.14 are affected.

Moderate severity due to potential session hijacking.

Concurrent requests using `Rack::Session::Pool` can restore a deleted rack session, allowing unauthenticated users to potentially occupy that session.

How to fix CVE-2025-32441 in Rack

Patch immediately

1.Update Rack to version 2.2.14 or later.
2.Ensure session invalidation is atomic.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Implement a `logged_out` flag and check it on every request, or use a custom session store with invalidation timestamps.

NextGuard automatically flags CVE-2025-32441 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: X-Accel-Redirect Regex Injection

CVSS5.9

Affected versionsApplications using `Rack::Sendfile` with `x-accel-redirect` and Rack versions prior to 2.2.23 are affected.

Moderate severity due to potential unauthorized file disclosure.

Rack's `X-Accel-Mapping` header interpolation in `Rack::Sendfile` is vulnerable to regex injection, allowing attackers to control the `X-Accel-Redirect` response header and potentially serve unintended files.

How to fix CVE-2026-34830 in Rack

Patch immediately

1.Update Rack to version 2.2.23 or later.
2.Strip or overwrite `X-Accel-Mapping` headers at the reverse proxy.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Prefer explicit sendfile mappings and review proxy configurations.

NextGuard automatically flags CVE-2026-34830 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Content-Length Mismatch in Error Responses

CVSS4.8

Affected versionsApplications using Rack versions prior to 2.2.23 are affected.

Moderate severity due to potential response framing issues.

Rack's error responses use an incorrect `Content-Length` header due to using `String#size` instead of `String#bytesize` for multibyte UTF-8 characters, leading to response desynchronization.

How to fix CVE-2026-34831 in Rack

Patch immediately

1.Update Rack to version 2.2.23 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Enforce query string and request size limits at the web server or proxy layer.

NextGuard automatically flags CVE-2026-34831 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Static Header Rules Bypass

CVSS5.3

Affected versionsApplications using `Rack::Static` with versions prior to 2.2.23 are affected.

Moderate severity due to potential header bypass.

URL-encoded paths can bypass `Rack::Static` header rules, allowing attackers to access static content without the intended headers.

How to fix CVE-2026-34786 in Rack

Patch immediately

1.Update Rack to version 2.2.23 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Prefer setting security headers at the reverse proxy layer.

NextGuard automatically flags CVE-2026-34786 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Unbounded Multipart Uploads

CVSS7.5

Affected versionsApplications using `Rack::Multipart::Parser` with versions prior to 3.1.21 are affected.

High severity due to potential denial of service.

Rack's multipart parsing without a `Content-Length` header allows unbounded chunked file uploads, leading to denial of service.

How to fix CVE-2026-34829 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Enforce request body size limits at the reverse proxy.

NextGuard automatically flags CVE-2026-34829 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Static Prefix Matching

CVSS7.5

Affected versionsApplications using `Rack::Static` with versions prior to 2.2.23 are affected.

High severity due to potential information disclosure.

Rack's static prefix matching can expose unintended files under the static root due to a simple string prefix check.

How to fix CVE-2026-34785 in Rack

Patch immediately

1.Update Rack to version 2.2.23 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Avoid placing sensitive files under the static root.

NextGuard automatically flags CVE-2026-34785 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Encoding Selection Denial of Service

CVSS5.3

Affected versionsApplications using `Rack::Deflater` with versions prior to 3.1.21 are affected.

Moderate severity due to potential denial of service.

Rack's encoding selection logic exhibits quadratic complexity with wildcard `Accept-Encoding` headers, leading to denial of service.

How to fix CVE-2026-34230 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Apply request filtering or header restrictions at the reverse proxy.

NextGuard automatically flags CVE-2026-34230 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Multipart Header Parsing Denial of Service

CVSS7.5

Affected versionsApplications using `Rack::Multipart::Parser` with versions prior to 3.1.21 are affected.

High severity due to potential denial of service.

Rack's multipart header parsing exhibits quadratic complexity with escape-heavy quoted parameters, leading to denial of service.

How to fix CVE-2026-34827 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Apply request throttling or rate limiting to multipart endpoints.

NextGuard automatically flags CVE-2026-34827 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Multipart Byte Range Processing Denial of Service

CVSS7.5

Affected versionsApplications using `Rack::Multipart::Parser` with versions prior to 3.1.21 are affected.

High severity due to potential denial of service.

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges.

How to fix CVE-2026-34826 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Apply request filtering or header restrictions at the reverse proxy.

NextGuard automatically flags CVE-2026-34826 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Static Header Rules Bypass

CVSS7.5

Affected versionsApplications using `Rack::Static` with versions prior to 3.1.21 are affected.

High severity due to potential information disclosure.

Rack's static header rules bypass allows unauthorized access to files under the static root.

How to fix CVE-2026-34785 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Avoid placing sensitive files under the static root.

NextGuard automatically flags CVE-2026-34785 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Multipart Byte Range Processing Denial of Service

CVSS7.5

Affected versionsApplications using `Rack::Multipart::Parser` with versions prior to 3.1.21 are affected.

High severity due to potential denial of service.

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges.

How to fix CVE-2026-34826 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Apply request filtering or header restrictions at the reverse proxy.

NextGuard automatically flags CVE-2026-34826 if [Rack] appears in any of your monitored projects — no manual lookup required.

Rack: Static Header Rules Bypass

CVSS5.3

Affected versionsApplications using `Rack::Static` with versions prior to 3.1.21 are affected.

Moderate severity due to potential header bypass.

URL-encoded paths can bypass `Rack::Static` header rules, allowing attackers to access static content without the intended headers.

How to fix CVE-2026-34786 in Rack

Patch immediately

1.Update Rack to version 3.1.21 or later.

Update Rack

gem update rack

Verify with:

verify

gem list rack

Workaround: Prefer setting security headers at the reverse proxy layer.

NextGuard automatically flags CVE-2026-34786 if [Rack] appears in any of your monitored projects — no manual lookup required.

Stay ahead of Ruby vulnerabilities

Proactively identify and address security risks in your Ruby projects. NextGuard provides comprehensive dependency scanning and vulnerability monitoring to keep your applications secure.

Compare your dependencies

Frequently asked questions

These newly disclosed vulnerabilities in Rack highlight the importance of maintaining up-to-date dependencies and implementing robust security practices. Ensure you update Rack to the latest version and review your application's configuration to mitigate potential risks. See all ruby vulnerabilities on NextGuard.