Platform
ruby
Component
rack
Opgelost in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34829 describes an Unrestricted File Upload vulnerability within the Ruby Rack framework, specifically affecting versions up to 2.2.9. This flaw allows unauthenticated attackers to bypass file size limitations and upload arbitrarily large files, potentially leading to denial-of-service through disk exhaustion. The vulnerability was published on April 2, 2026, and a fix is available in version 2.2.23.
The core of the vulnerability lies in how Rack::Multipart::Parser handles requests without a Content-Length header, particularly when using HTTP chunked transfer encoding. Normally, the parser would limit the size of uploaded files. However, due to a flaw in the logic, the parser doesn't enforce this limit when the Content-Length header is missing. This allows an attacker to stream an arbitrarily large multipart file directly to disk, bypassing the intended size restrictions. The primary impact is denial of service (DoS) through disk exhaustion, as the attacker can fill up the server's storage space. While direct code execution isn't immediately possible, a sufficiently large uploaded file could potentially trigger other vulnerabilities or instability within the application or server.
As of the publication date, there is no public proof-of-concept (POC) code available for CVE-2026-34829. The vulnerability's severity is rated HIGH (CVSS 7.5), indicating a significant risk. It is not currently listed on KEV or EPSS, suggesting a low to medium probability of exploitation in the near term. However, the ease of exploitation (requiring only a crafted multipart request) means it could become a target for opportunistic attackers.
Exploit Status
EPSS
0.05% (17% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2026-34829 is to upgrade to Rack version 2.2.23 or later, which includes the fix for this vulnerability. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to configure a web application firewall (WAF) or reverse proxy to enforce strict file size limits on multipart uploads, regardless of the Content-Length header. Another workaround involves modifying the Rack application to explicitly check and reject uploads exceeding a reasonable size threshold. Monitor disk space usage closely to detect potential exploitation attempts. After upgrading, confirm the fix by attempting a large multipart upload and verifying that the upload is rejected with an appropriate error message.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o superior, según corresponda a su versión actual. Esto solucionará la vulnerabilidad de denegación de servicio causada por la carga de archivos multipart sin límite de tamaño.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34829 is a HIGH severity vulnerability in Ruby Rack versions up to 2.2.9. It allows attackers to bypass file size limits and upload arbitrarily large files, potentially leading to disk exhaustion and denial of service.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version using ruby -v and require 'rack'; puts Rack.version to determine if you need to upgrade.
Upgrade to Ruby Rack version 2.2.23 or later to remediate the vulnerability. As a temporary workaround, implement WAF rules or application-level checks to limit file upload sizes.
As of the publication date, there are no reports of active exploitation. However, the ease of exploitation means it could become a target.
Refer to the Ruby Rack project's official website and security advisories for the latest information and updates regarding CVE-2026-34829.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.