4 matches found
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Summary Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted...
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a respon...
CVE-2026-34230
Rack is a modular Ruby web server interface. CVE-2026-34230 describes a denial-of-service risk where Rack::Utils.select_best_encoding enters quadratic time on Accept-Encoding headers with many wildcard entries, enabling an unauthenticated attacker to exhaust CPU in the Rack::Deflater path. The is...
Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
Summary Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted...