Platform
ruby
Component
rack
Fixed in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34230 describes a denial-of-service (DoS) vulnerability within the Ruby Rack library, specifically impacting the Rack::Deflater middleware. This flaw arises from inefficient processing of Accept-Encoding headers, leading to quadratic time complexity when wildcard entries are present. Applications utilizing Rack::Deflater are susceptible, and upgrading to version 2.2.23 resolves the issue.
An attacker can exploit this vulnerability by sending a single HTTP request containing a specially crafted Accept-Encoding header with numerous wildcard (*) entries. The Rack::Utils.selectbestencoding method, used by Rack::Deflater to determine the response encoding, then expands these wildcards, resulting in a significant increase in CPU consumption. This disproportionate CPU load can effectively overwhelm the server, leading to a denial of service, preventing legitimate users from accessing the application. The impact is particularly severe for applications handling high volumes of requests or those deployed on resource-constrained environments.
CVE-2026-34230 was publicly disclosed on April 2, 2026. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to reproduce.
Exploit Status
EPSS
0.05% (16% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-34230 is to upgrade the Rack library to version 2.2.23 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by filtering or limiting the number of wildcard entries in the Accept-Encoding header on the web server or reverse proxy. Web Application Firewalls (WAFs) can also be configured to block requests with excessively long or complex Accept-Encoding headers. After upgrading, confirm the fix by sending a request with a crafted Accept-Encoding header containing multiple wildcards and verifying that CPU usage remains within acceptable limits.
Update the Rack gem to version 2.2.23, 3.1.21, or 3.2.6, or higher. This corrects the denial of service vulnerability caused by quadratic complexity in processing Accept-Encoding headers. Run `gem update rack` to update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-34230 is a denial-of-service vulnerability in the Ruby Rack library's Deflater middleware. A crafted Accept-Encoding header can cause excessive CPU usage, potentially leading to a server outage.
You are affected if your Ruby application uses Rack version 2.2.9 or earlier and utilizes the Rack::Deflater middleware for compression.
Upgrade the Rack library to version 2.2.23 or later. If immediate upgrade is not possible, consider temporary workarounds like filtering Accept-Encoding headers.
There is currently no evidence of active exploitation of CVE-2026-34230, but the vulnerability's nature makes it relatively easy to reproduce.
Refer to the official Ruby security advisories and the Rack project's release notes for detailed information and updates regarding CVE-2026-34230.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.