CVE-2026-34230

HIGH EPSS 34.4%

Published Apr 2, 20262mo ago · Modified Jun 17, 20261w ago

7.5 CVSS 3.1

High

Published Apr 2, 2026 2mo ago

Last Modified Jun 17, 2026 1w ago

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

CVSS Details

Base Score

7.5

Exploitability

3.9

Impact

3.6

Vector string

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Attack Vector Network

Attack Complexity Low

Privileges Required None

User Interaction None

Scope Unchanged

Confidentiality None

Integrity None

Availability High

Threat Intelligence

EPSS Exploit Probability

34.4% percentile

Exploit & Patch Status

No Known Exploit

No Patch Available

Weaknesses 2

CWE-400 Uncontrolled Resource Consumption Resource Mgmt

CWE-407

Affected Products 3

Vendor	Product	Version	Range
rack	rack	*	<2.2.23
rack	rack	*	≥3.0.0 – <3.1.21
rack	rack	*	≥3.2.0 – <3.2.6

References 1

github.com https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr

Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.