CVE-2026-34829: Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length

Published Apr 2, 2026
·
Updated

Summary

Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit.

For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space.

This results in a denial of service condition for Rack applications that accept multipart form data.

Details

Rack::Multipart::Parser.parse applies BoundedIO only when contentlength is not nil:

ruby io = BoundedIO.new(io, contentlength) if contentlength

When CONTENTLENGTH is absent, the parser reads the multipart body until EOF without a global byte limit.

Although Rack enforces BUFFEREDUPLOADBYTESIZELIMIT for retained non-file parts, file uploads are handled differently. When a multipart part includes a filename, the body is streamed to a Tempfile, and the retained-size accounting is not applied to that file content. As a result, file parts are not subject to the same upload size bound.

An attacker can exploit this by sending a chunked multipart/form-data request containing a file part and continuously streaming data without declaring a Content-Length. Rack will continue writing the uploaded data to disk until the client stops or the server exhausts available storage.

Impact

Any Rack application that accepts multipart/form-data uploads may be affected if no upstream component enforces a request body size limit.

An unauthenticated attacker can send a large chunked file upload to consume disk space on the application host. This may cause request failures, application instability, or broader service disruption if the host runs out of available storage.

The practical impact depends on deployment architecture. Reverse proxies or application servers that enforce upload limits may reduce or eliminate exploitability, but Rack itself does not impose a total multipart upload limit in this code path when CONTENTLENGTH is absent.

Mitigation

Update to a patched version of Rack that enforces a total multipart upload size limit even when CONTENTLENGTH is absent. Enforce request body size limits at the reverse proxy or application server. Isolate temporary upload storage and monitor disk consumption for multipart endpoints.

Other sources

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

MITRE

Affected Software

6 affected componentsFixes available
rubygems/rack>=3.2.0<3.2.6
3.2.6
rubygems/rack>=3.0.0.beta1<3.1.21
3.1.21
rubygems/rack<2.2.23
2.2.23
Rack Rack Ruby<2.2.23
Rack Rack Ruby>=3.0.0<3.1.21
Rack Rack Ruby>=3.2.0<3.2.6

Event History

Apr 2, 2026
CVE Published
via MITRE·04:46 PM
Data Sourced
via MITRE·04:46 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·05:16 PM
Affected Software
Advisory Published
via GitHub·08:34 PM
Data Sourced
via GitHub·08:34 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-34829?

CVE-2026-34829 is classified as a Denial of Service vulnerability.

2

How do I fix CVE-2026-34829?

To mitigate CVE-2026-34829, update your Rack version to 3.2.6, 3.1.21, or 2.2.23.

3

What systems are affected by CVE-2026-34829?

CVE-2026-34829 affects versions of Rack prior to 3.2.6, 3.1.21, and 2.2.23.

4

What type of attack does CVE-2026-34829 enable?

CVE-2026-34829 enables attackers to execute Denial of Service attacks through unbounded multipart file uploads.

5

Is there a workaround for CVE-2026-34829 if I cannot upgrade?

Currently, there is no recommended workaround for CVE-2026-34829; upgrading to a secure version is necessary.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203