Platform
ruby
Component
rack
Opgelost in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34230 describes a denial-of-service (DoS) vulnerability within the Ruby Rack library, specifically impacting the Rack::Deflater middleware. This flaw arises from inefficient processing of Accept-Encoding headers, leading to quadratic time complexity when wildcard entries are present. Applications utilizing Rack::Deflater are susceptible, and upgrading to version 2.2.23 resolves the issue.
An attacker can exploit this vulnerability by sending a single HTTP request containing a specially crafted Accept-Encoding header with numerous wildcard (*) entries. The Rack::Utils.selectbestencoding method, used by Rack::Deflater to determine the response encoding, then expands these wildcards, resulting in a significant increase in CPU consumption. This disproportionate CPU load can effectively overwhelm the server, leading to a denial of service, preventing legitimate users from accessing the application. The impact is particularly severe for applications handling high volumes of requests or those deployed on resource-constrained environments.
CVE-2026-34230 was publicly disclosed on April 2, 2026. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to reproduce.
Ruby applications that rely on the Rack library and utilize the Rack::Deflater middleware are at risk. This includes web applications built with frameworks like Ruby on Rails, Sinatra, and Padrino. Shared hosting environments where Rack is a dependency are also potentially vulnerable.
• ruby / server:
ps aux | grep rack• ruby / server:
journalctl -u rack | grep "select_best_encoding"• generic web:
curl -I <target_url> | grep Accept-Encodingdisclosure
Exploit Status
EPSS
0.05% (16% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-34230 is to upgrade the Rack library to version 2.2.23 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by filtering or limiting the number of wildcard entries in the Accept-Encoding header on the web server or reverse proxy. Web Application Firewalls (WAFs) can also be configured to block requests with excessively long or complex Accept-Encoding headers. After upgrading, confirm the fix by sending a request with a crafted Accept-Encoding header containing multiple wildcards and verifying that CPU usage remains within acceptable limits.
Actualiseer de gema Rack naar versie 2.2.23, 3.1.21 of 3.2.6, of hoger. Dit corrigeert de denial of service kwetsbaarheid veroorzaakt door de kwadratische complexiteit in de verwerking van Accept-Encoding headers. Voer `gem update rack` uit om te updaten.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34230 is a denial-of-service vulnerability in the Ruby Rack library's Deflater middleware. A crafted Accept-Encoding header can cause excessive CPU usage, potentially leading to a server outage.
You are affected if your Ruby application uses Rack version 2.2.9 or earlier and utilizes the Rack::Deflater middleware for compression.
Upgrade the Rack library to version 2.2.23 or later. If immediate upgrade is not possible, consider temporary workarounds like filtering Accept-Encoding headers.
There is currently no evidence of active exploitation of CVE-2026-34230, but the vulnerability's nature makes it relatively easy to reproduce.
Refer to the official Ruby security advisories and the Rack project's release notes for detailed information and updates regarding CVE-2026-34230.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.