Possible DoS Vulnerability in Multipart MIME parsing in rack

In Rack 3.0.4.x before 3.0.4.2, 2.2.6.x before 2.2.6.3, 2.1.4 before 2.1.4.3 and 2.0.9.x before 2.0.9.3, the multipart request parser was subject to a Denial of Service attack. The multipart request parser processes the request body on any POST endpoints. The parser was processing an unlimited number of empty/field multipart-parts.The parsing and tracking of an unbound number of parts can lead to extensive CPU usage and memory exhaustion. The vulnerability affects all rails applications, unless they are behind a proxy that blocks POST requests with _large_ bodies (double digit MB). Side note: The DoS vectors are not unique to the multipart request parser in Rack. Many other large vendors (other programming languages/frameworks/applications) were notified about the DoS vectors as well and an embargo date was set for the coordinated disclosure. The Rack maintainers took part in a coordinated disclosure of the DoS vulnerability with many other large vendors. This required scheduling a dedicated release for the fixes in Rack. Unfortunately, the maintainers missed the embargo date due to issues with getting a hold of a CVE for the vulnerability. The issue was reported via HackerOne, the report is https://hackerone.com/reports/1789204. ## Impact High CPU usage blocks workers and significantly delays other requests from getting processed (minutes). High memory usage can lead to the application getting OOM killed.