A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack.
The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.
Name | Vendor | Start Version | End Version |
---|---|---|---|
Rack | Rack_project | 1.2 (including) | 2.0.9.1 (excluding) |
Rack | Rack_project | 2.1.0 (including) | 2.1.4.1 (excluding) |
Rack | Rack_project | 2.2.0 (including) | 2.2.3.1 (excluding) |
Attackers can create crafted inputs that
intentionally cause the regular expression to use
excessive backtracking in a way that causes the CPU
consumption to spike.