Uncontrolled Resource Consumption

Summary

Rack is a modular Ruby web server interface. In affected versions prior to 2.2.14, 3.0.x prior to 3.0.16, and 3.1.x prior to 3.1.14, "Rack::QueryParser" class parses query strings and "application/x-www-form-urlencoded" bodies into Ruby data structures without imposing any limit on the number of parameters. This allows attackers to send requests with extremely large numbers of parameters. The vulnerability arises because "Rack::QueryParser" iterates over each "&"-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. As a result, an attacker can send a single request containing hundreds of thousands (or more) of parameters, consuming excessive memory and CPU resources during parsing. An attacker can trigger a Denial of Service (DoS) by sending specifically crafted HTTP requests, which may cause memory exhaustion or lock up CPU resources. This can stall or crash the Rack server, resulting in a complete service disruption until the affected worker is restarted. Several mitigations are available. You can use middleware to enforce a maximum query string size or parameter count. Alternatively, a reverse proxy (such as Nginx) can be configured to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective way to mitigate this issue.