RubySec

Providing security resources for the Ruby community

CVE-2022-44572 (rack): Denial of service via multipart parsing in Rack

ADVISORIES

GEM

rack

PATCHED VERSIONS

  • ~> 2.0.9, >= 2.0.9.2
  • ~> 2.1.4, >= 2.1.4.2
  • ~> 2.2.6, >= 2.2.6.1
  • >= 3.0.4.1

DESCRIPTION

There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.4.1

Impact

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Workarounds

There are no feasible workarounds for this issue.

Contact us @rubysec or open an issue on our GitHub repository.

Recent Advisories