EUVD-2026-18417

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values...

CVE-2026-26962

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename o...

CVE-2026-26962 Rack: Header injection in multipart requests

Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename o...

PT-2026-29923

Summary Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename or name instead of removing the folded line break during unfolding. As a result,...

PT-2026-29841

Name of the Vulnerable Software and Affected Versions Rack versions 3.2.0 through 3.2.5 Description Rack’s Rack::Multipart::Parser incorrectly unfolds folded multipart part headers. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values...

SUSE-SU-2022:3503-1 Security update for nodejs12

This update for nodejs12 fixes the following issues: - CVE-2022-35256: Fixed incorrect parsing of header fields bsc1203832. - CVE-2022-32213: Fixed bypass via obs-fold mechanic bsc1201325...

Updated nodejs packages fix security vulnerability

DNS rebinding in --inspect on macOS CVE-2022-32212 Bypass via obs-fold mechanic CVE-2022-32213 HTTP Request Smuggling Due to Incorrect Parsing of Header Fields CVE-2022-35256...

Security fix for the ALT Linux 10 package node version 16.17.1-alt1

Sept. 30, 2022 Vitaly Lipatov 16.17.1-alt1 - new version 16.17.1 with rpmrb script - set npm = 8.15.0 - CVE-2022-32212: DNS rebinding in --inspect on macOS High - CVE-2022-32213: bypass via obs-fold mechanic Medium - CVE-2022-35255: Weak randomness in WebCrypto keygen - CVE-2022-35256: HTTP Reque...

September 23rd 2022 Security Releases

September 23rd 2022 Security Releases Update 26-September-2022 Security releases available Recommendation update regarding CVE-2022-35255: Roll-out and re-issue all keys generated with WebCrypto.subtle.generateKey. Re-evaluate the confidentiality of data encrypted with those keys. Update...

Node.js: CVE-2022-32213 bypass via obs-fold mechanic

Summary The fix for CVE-2022-32213 can be bypass using an obs-fold, which Node's http parser supports Proof-Of-Concept const http = require'http'; http.createServerrequest, response = let body = ; request.on'error', err = response.end"error while reading body: " + err .on'data', chunk =...