CVE-2026-34831

April 3, 2026, 4:10 p.m.

4.8
Medium

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Product(s) Impacted

Vendor Product Versions
Ruby
  • Rack
  • <2.2.23, <3.1.21, <3.2.6

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-130
Improper Handling of Length Parameter Inconsistency
The product parses a formatted message or structure, but it does not handle or incorrectly handles a length field that is inconsistent with the actual length of the associated data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a ruby rack <2.2.23 / / / / / / /
a ruby rack <3.1.21 / / / / / / /
a ruby rack <3.2.6 / / / / / / /

References

https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388

Tags

[email protected]
CWE-130
2026-04-02
CVE-2026-34831

CVSS Score

4.8 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: HIGH
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: LOW
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

    View Vector String

Timeline

Published: April 2, 2026, 5:16 p.m.
Last Modified: April 3, 2026, 4:10 p.m.

Status : Undergoing Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.