- ~> 2.0.9, >= 220.127.116.11
- ~> 2.1.4, >= 18.104.22.168
- ~> 2.2.6, >= 22.214.171.124
- >= 126.96.36.199
There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.
Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 188.8.131.52, 184.108.40.206, 220.127.116.11, 18.104.22.168
Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
There are no feasible workarounds for this issue.