-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2026-26961.yml
More file actions
84 lines (68 loc) · 3.05 KB
/
CVE-2026-26961.yml
File metadata and controls
84 lines (68 loc) · 3.05 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
---
gem: rack
cve: 2026-26961
ghsa: vgpv-f759-9wx3
url: https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
title: Rack's greedy multipart boundary parsing can cause parser
differentials and WAF bypass.
date: 2026-04-02
description: |
## Summary
`Rack::Multipart::Parser` extracts the `boundary` parameter from
`multipart/form-data` using a greedy regular expression. When a
`Content-Type` header contains multiple `boundary` parameters,
Rack selects the last one rather than the first.
In deployments where an upstream proxy, WAF, or intermediary
interprets the first `boundary` parameter, this mismatch can
allow an attacker to smuggle multipart content past upstream
inspection and have Rack parse a different body structure than
the intermediary validated.
## Details
Rack identifies the multipart boundary using logic equivalent to:
```ruby
MULTIPART = %r|\Amultipart/.*boundary=\"?([^\";,]+)\"?|ni
```
Because the expression is greedy, it matches the last `boundary=`
parameter in a header such as:
```http
Content-Type: multipart/form-data; boundary=safe; boundary=malicious
```
As a result, Rack parses the request body using `malicious`, while
another component may interpret the same header using `safe`.
This creates an interpretation conflict. If an upstream WAF or proxy
inspects multipart parts using the first boundary and Rack later
parses the body using the last boundary, a client may be able to
place malicious form fields or uploaded content in parts that Rack
accepts but the upstream component did not inspect as intended.
This issue is most relevant in layered deployments where security
decisions are made before the request reaches Rack.
## Impact
Applications that accept `multipart/form-data` uploads behind an
inspecting proxy or WAF may be affected.
In such deployments, an attacker may be able to bypass upstream
filtering of uploaded files or form fields by sending a request
with multiple `boundary` parameters and relying on the intermediary
and Rack to parse the request differently.
The practical impact depends on deployment architecture. If no
upstream component relies on a different multipart interpretation,
this behavior may not provide meaningful additional attacker capability.
## Mitigation
* Update to a patched version of Rack that rejects ambiguous multipart
`Content-Type` headers or parses duplicate `boundary` parameters
consistently.
* Reject requests containing multiple `boundary` parameters.
* Normalize or regenerate multipart metadata at the trusted edge
before forwarding requests to Rack.
* Avoid relying on upstream inspection of malformed multipart
requests unless duplicate parameter handling is explicitly
consistent across components.
cvss_v3: 3.7
patched_versions:
- "~> 2.2.23"
- "~> 3.1.21"
- ">= 3.2.6"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2026-26961
- https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3
- https://github.com/advisories/GHSA-vgpv-f759-9wx3