CVE-2018-16470

EPSS 2.0%CWE-400

In short

The multipart parser in Rack before version 2.0.6 can be abused by specially crafted requests to consume excessive CPU resources, causing the application to slow down or become unresponsive.

Technical detail

A denial-of-service vulnerability exists in Rack's multipart parser (versions prior to 2.0.6) where maliciously crafted multipart requests trigger a pathological parsing condition, causing disproportionate CPU consumption relative to request size. This attack requires network access to send crafted HTTP requests but no authentication. The impact is availability degradation of the targeted application.

Summary generated and translated by AI from the official description.

There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.

Affected products

Rack · Rack

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://access.redhat.com/errata/RHSA-2019:3172 https://groups.google.com/forum/#%21msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ