-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-34230.yml
More file actions
99 lines (81 loc) · 3.64 KB
/
CVE-2026-34230.yml
File metadata and controls
99 lines (81 loc) · 3.64 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
---
gem: rack
cve: 2026-34230
ghsa: v569-hp3g-36wr
url: https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
title: Rack has quadratic complexity in Rack::Utils.select_best_encoding
via wildcard Accept-Encoding header
date: 2026-04-02
description: |
## Summary
`Rack::Utils.select_best_encoding` processes `Accept-Encoding` values
with quadratic time complexity when the header contains many
wildcard (`*`) entries. Because this method is used by `Rack::Deflater`
to choose a response encoding, an unauthenticated attacker can send
a single request with a crafted `Accept-Encoding` header and cause
disproportionate CPU consumption on the compression middleware path.
This results in a denial of service condition for applications
using `Rack::Deflater`.
## Details
`Rack::Utils.select_best_encoding` expands parsed `Accept-Encoding`
values into a list of candidate encodings. When an entry is `*`,
the method computes the set of concrete encodings by subtracting
the encodings already present in the request:
```ruby
if m == "*"
(available_encodings - accept_encoding.map(&:first)).each do |m2|
expanded_accept_encoding << [m2, q, preference]
end
else
expanded_accept_encoding << [m, q, preference]
end
```
Because `accept_encoding.map(&:first)` is evaluated inside the loop,
it is recomputed for each wildcard entry. If the request contains
`N` wildcard entries, this produces repeated scans over the full
parsed header and causes quadratic behavior.
After expansion, the method also performs additional work over
`expanded_accept_encoding`, including per-entry deletion, which
further increases the cost for large inputs.
`Rack::Deflater` invokes this method for each request when the
middleware is enabled:
```ruby
Utils.select_best_encoding(ENCODINGS, Utils.parse_encodings(accept_encoding))
```
As a result, a client can trigger this expensive code path simply
by sending a large `Accept-Encoding` header containing many
repeated wildcard values.
For example, a request with an approximately 8 KB `Accept-Encoding`
header containing about 1,000 `*;q=0.5` entries can cause roughly
170 ms of CPU time in a single request on the `Rack::Deflater`
path, compared to a negligible baseline for a normal header.
This issue is distinct from CVE-2024-26146. That issue concerned
regular expression denial of service during `Accept` header parsing,
whereas this issue arises later during encoding selection after
the header has already been parsed.
## Impact
Any Rack application using `Rack::Deflater` may be affected.
An unauthenticated attacker can send requests with crafted
`Accept-Encoding` headers to trigger excessive CPU usage in the
encoding selection logic. Repeated requests can consume worker
time disproportionately and reduce application availability.
The attack does not require invalid HTTP syntax or large payload
bodies. A single header-sized request is sufficient to reach the
vulnerable code path.
## Mitigation
* Update to a patched version of Rack in which encoding selection
does not repeatedly rescan the parsed header for wildcard entries.
* Avoid enabling `Rack::Deflater` on untrusted traffic.
* Apply request filtering or header size / format restrictions
at the reverse proxy or application boundary to limit abusive
`Accept-Encoding` values.
cvss_v3: 5.3
patched_versions:
- "~> 2.2.23"
- "~> 3.1.21"
- ">= 3.2.6"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-34230
- https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr
- https://github.com/advisories/GHSA-v569-hp3g-36wr