Rack CVE-2022-30122: Denial of Service Vulnerability in Rack Multipart Parsing

Disclosed: 2022-07-23 03:20:13 By ooooooo_q To ibb
Medium
Vulnerability Details
ReDoS in `Rack::Multipart::BROKEN_QUOTED` and `Rack::Multipart::BROKEN_UNQUOTED`. https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk > Carefully crafted multipart POST requests can cause Rack's multipart parser to take much longer than expected, leading to a possible denial of service vulnerability. ## Impact When the client sends a specially crafted header, it occur ReDoS on the server side. Servers that interpret Post data by default, like Rails, are affected.
Actions
View on HackerOne
Report Stats
  • Report ID: 1627159
  • State: Closed
  • Substate: resolved
  • Upvotes: 9
Share this report