Rack patches unbounded chunked multipart uploads causing disk DoS

2 min readPublished 01 Apr 2026Updated 02 Apr 2026Source: GitHub Security Advisory (rack/rack)

CVE-2026-34829 News Ruby Web Security Denial of Service

TL;DR — Rack’s multipart/form-data parser can be coerced into writing unbounded data to disk when requests omit Content-Length, enabling remote disk exhaustion and denial of service.

What happened

Rack is the core Ruby webserver interface layer used by many Ruby web stacks; it provides common request/response handling and middleware hooks.

GitHub’s advisory for rack describes a DoS via unbounded multipart upload when the request is sent without a Content-Length header (e.g., via HTTP chunked transfer encoding). In this code path, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present; without it, parsing continues until EOF with no total size limit.

Crucially, file parts (multipart parts with a filename) are streamed to a Tempfile on disk, and the retained-size accounting used for non-file parts does not constrain the file content. An attacker can continuously stream data and force the application host to write until storage is exhausted.

This is a high-signal failure mode for platform teams because it’s a boundary assumption bug (trusting Content-Length for containment) in a widely deployed request-parsing layer; similar “missing global limit” issues routinely become reliable, low-effort availability attacks.

Who is impacted

Any Rack-based application that accepts multipart/form-data uploads and does not have an upstream request-body limit enforced by a reverse proxy / ingress / app server.

Component	Affected versions (per advisory)	Patched versions (per advisory)
`rack`	`< 2.2.23`	`2.2.23`
`rack`	`>= 3.0, < 3.1.21`	`3.1.21`
`rack`	`>= 3.2, < 3.2.6`	`3.2.6`

What to do now

Follow vendor remediation guidance and apply the latest patched release available at the time of writing.
- "Update to a patched version of Rack that enforces a total multipart upload size limit even when CONTENT_LENGTH is absent."
Add or validate request body size limits in front of the app (ingress / reverse proxy / application server), especially for endpoints that accept file uploads.
- "Enforce request body size limits at the reverse proxy or application server."
Treat temp upload storage as an availability boundary: isolate it where possible and ensure disk-pressure alerting covers multipart-heavy routes.
- "Isolate temporary upload storage and monitor disk consumption for multipart endpoints."

Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.