CVE-2026-34829

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-34829
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34829.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-34829
Aliases
Downstream
Related
Published
2026-04-02T16:46:47.357Z
Modified
2026-04-06T00:44:18.967736760Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Rack: Denial of Service via Unbounded Multipart File Upload Without Content-Length
Details

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Database specific 
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/34xxx/CVE-2026-34829.json",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/rack/rack

Affected ranges

Type
GIT
Repo
https://github.com/rack/rack
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
f2af0c8f869193fa7bb7d20b619b3003418e1055
Database specific 
{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.23"
        }
    ]
}
Type
GIT
Repo
https://github.com/rack/rack
Events
Introduced
572a42a705b423ce98ef4e81435d4f60fb0ae53d
Fixed
ae8431120e66e92d1885ab8ec0a553d9cad5ec13
Database specific 
{
    "versions": [
        {
            "introduced": "3.0.0.beta1"
        },
        {
            "fixed": "3.1.21"
        }
    ]
}
Type
GIT
Repo
https://github.com/rack/rack
Events
Introduced
b68251c03788ff39d4a4b25424df7360426e4afd
Fixed
e1f22fdbe99afd2126b6fbf05bb12399359574b7
Database specific 
{
    "versions": [
        {
            "introduced": "3.2.0"
        },
        {
            "fixed": "3.2.6"
        }
    ]
}

Affected versions

0.*
0.1
0.2
0.3
0.4
0.9
0.9.1
1.*
1.0
1.0.1
1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.3.0
1.3.0.beta
1.3.0.beta2
1.3.1
1.3.10
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0
1.6.0.beta
1.6.0.beta2
1.6.1
1.6.10
1.6.11
1.6.12
1.6.13
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
2.*
2.0.0
2.0.0.alpha
2.0.0.rc1
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.9.1
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.4.1
2.2.0
2.2.3
2.2.3.1
2.2.4
3.*
3.0.0
3.0.0.beta1
3.0.0.rc1
Other
test
v2.*
v2.0.9.2
v2.0.9.3
v2.0.9.4
v2.1.4.2
v2.1.4.3
v2.1.4.4
v2.2.1
v2.2.10
v2.2.11
v2.2.12
v2.2.13
v2.2.14
v2.2.15
v2.2.16
v2.2.17
v2.2.18
v2.2.19
v2.2.2
v2.2.20
v2.2.21
v2.2.22
v2.2.5
v2.2.6
v2.2.6.1
v2.2.6.2
v2.2.6.3
v2.2.6.4
v2.2.7
v2.2.8
v2.2.8.1
v2.2.9
v3.*
v3.0.1
v3.0.10
v3.0.12
v3.0.13
v3.0.14
v3.0.15
v3.0.16
v3.0.17
v3.0.18
v3.0.2
v3.0.3
v3.0.4
v3.0.4.1
v3.0.4.2
v3.0.5
v3.0.6
v3.0.6.1
v3.0.7
v3.0.8
v3.0.9
v3.0.9.1
v3.1.0
v3.1.1
v3.1.10
v3.1.11
v3.1.12
v3.1.13
v3.1.14
v3.1.15
v3.1.16
v3.1.17
v3.1.18
v3.1.19
v3.1.2
v3.1.20
v3.1.21
v3.1.3
v3.1.4
v3.1.5
v3.1.6
v3.1.7
v3.1.8
v3.1.9
v3.2.0
v3.2.1
v3.2.2
v3.2.3
v3.2.4
v3.2.5
v3.2.6

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-34829.json"