平台
ruby
组件
rack
修复版本
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34230 describes a denial-of-service (DoS) vulnerability within the Ruby Rack library, specifically impacting the Rack::Deflater middleware. This flaw arises from inefficient processing of Accept-Encoding headers, leading to quadratic time complexity when wildcard entries are present. Applications utilizing Rack::Deflater are susceptible, and upgrading to version 2.2.23 resolves the issue.
An attacker can exploit this vulnerability by sending a single HTTP request containing a specially crafted Accept-Encoding header with numerous wildcard (*) entries. The Rack::Utils.selectbestencoding method, used by Rack::Deflater to determine the response encoding, then expands these wildcards, resulting in a significant increase in CPU consumption. This disproportionate CPU load can effectively overwhelm the server, leading to a denial of service, preventing legitimate users from accessing the application. The impact is particularly severe for applications handling high volumes of requests or those deployed on resource-constrained environments.
CVE-2026-34230 was publicly disclosed on April 2, 2026. There is no indication of active exploitation at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept (PoC) code is not widely available, but the vulnerability's nature makes it relatively straightforward to reproduce.
Ruby applications that rely on the Rack library and utilize the Rack::Deflater middleware are at risk. This includes web applications built with frameworks like Ruby on Rails, Sinatra, and Padrino. Shared hosting environments where Rack is a dependency are also potentially vulnerable.
• ruby / server:
ps aux | grep rack• ruby / server:
journalctl -u rack | grep "select_best_encoding"• generic web:
curl -I <target_url> | grep Accept-Encodingdisclosure
漏洞利用状态
EPSS
0.05% (16% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-34230 is to upgrade the Rack library to version 2.2.23 or later. If an immediate upgrade is not feasible due to compatibility concerns or breaking changes, consider implementing a temporary workaround by filtering or limiting the number of wildcard entries in the Accept-Encoding header on the web server or reverse proxy. Web Application Firewalls (WAFs) can also be configured to block requests with excessively long or complex Accept-Encoding headers. After upgrading, confirm the fix by sending a request with a crafted Accept-Encoding header containing multiple wildcards and verifying that CPU usage remains within acceptable limits.
将 Rack gem 更新到版本 2.2.23、3.1.21 或 3.2.6 或更高版本。这修复了由 Accept-Encoding 头处理中的二次复杂度引起的拒绝服务漏洞。运行 `gem update rack` 进行更新。
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-34230 is a denial-of-service vulnerability in the Ruby Rack library's Deflater middleware. A crafted Accept-Encoding header can cause excessive CPU usage, potentially leading to a server outage.
You are affected if your Ruby application uses Rack version 2.2.9 or earlier and utilizes the Rack::Deflater middleware for compression.
Upgrade the Rack library to version 2.2.23 or later. If immediate upgrade is not possible, consider temporary workarounds like filtering Accept-Encoding headers.
There is currently no evidence of active exploitation of CVE-2026-34230, but the vulnerability's nature makes it relatively easy to reproduce.
Refer to the official Ruby security advisories and the Rack project's release notes for detailed information and updates regarding CVE-2026-34230.
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Gemfile.lock 文件,立即知道是否受影响。