Improper resource allocation In ruby-rack
Description
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
Summary
Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
Details
While searching for the first boundary, the parser appends incoming data into a shared buffer (@sbuf.concat(content)) and scans for the boundary pattern:
@sbuf.scan_until(@body_regex)
If the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.
Impact
Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.
Mitigation
Upgrade: Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per RFC 2046 § 5.1.1.
Workarounds:
Limit total request body size at the proxy or web server level.
Monitor memory and set per-process limits to prevent OOM conditions.
Update Impact
Minimal update. May introduce new vulnerabilities or breaking changes.
Ecosystem | Package | Affected version | Patched versions |
|---|---|---|---|
 debian 12 | 2.2.20-0+deb12u1 | ||
debian 13 | 3.1.18-1~deb13u1 | ||
debian 11 | 2.1.4-3+deb11u4 | ||
debian 14 | 3.1.18-1 | ||
 rubygems | 2.2.19, 3.1.17, 3.2.2 | ||
 rpm rhel10 | 0:0.12.1-1.el10_1.1 | ||
rpm rhel8 | 0:0.10.18-2.el8_10.7 | ||
rpm rhel8.4 | 0:0.10.8-1.el8_4.8 | ||
rpm rhel9 | 0:0.11.10-1.el9_7.1 | ||
rpm rhel9.4 | 0:0.11.7-2.el9_4.5 |
Aliases
References