CVE-2023-27530
Denial of Service vulnerability in rack (RubyGems)
What is CVE-2023-27530 About?
This Denial of Service (DoS) vulnerability in Rack's Multipart MIME parsing code allows attackers to degrade server performance. By sending requests with a large number of parts, but not necessarily files, the parser takes excessive time to process, leading to resource exhaustion. This is relatively easy to exploit, requiring knowledge of HTTP multipart requests.
Affected Software
- rack
- <2.0.9.3
- >=2.2.0, <2.2.6.3
- >=3.0.0, <3.0.4.2
- >=2.1.0, <2.1.4.3
Technical Details
The vulnerability in Rack's Multipart MIME parsing code affects all versions and stems from an insufficient limitation on the total number of parts that can be uploaded within a multipart request. While the parser limits the number of file parts, it does not impose a similar limit on non-file parts or the overall part count. An attacker can craft a multipart/form-data request containing an extremely large number of small, non-file form fields. When the vulnerable Rack application attempts to parse this request, the iteration and processing of each individual part consumes CPU cycles and potentially memory. With a high enough number of parts, this processing time becomes excessive, leading to a significant degradation of performance or resource exhaustion on the server, thereby allowing a Denial of Service attack.
What is the Impact of CVE-2023-27530?
Successful exploitation may allow attackers to cause server unresponsiveness, significantly increase processing overhead, or degrade the application's ability to serve legitimate requests, leading to service disruption.
What is the Exploitability of CVE-2023-27530?
Exploitation of this vulnerability is relatively easy, requiring low technical skill. It is an unauthenticated remote attack; the attacker only needs to be able to send HTTP POST requests to a Rack application that processes multipart forms. No specific privileges are needed on the target system. The primary prerequisite is the ability to craft HTTP requests with a large number of multipart fields. The complexity is low, primarily involving sending a high volume of parts. Risk factors are increased for applications that widely accept multipart form data, especially if they are publicly exposed without rate limiting or explicit configuration to limit the maximum number of form fields or parts by a web server (like Nginx client_max_body_size for the entire request or specific module configurations).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2023-27530?
Available Upgrade Options
- rack
- <2.0.9.3 → Upgrade to 2.0.9.3
- rack
- >=2.1.0, <2.1.4.3 → Upgrade to 2.1.4.3
- rack
- >=2.2.0, <2.2.6.3 → Upgrade to 2.2.6.3
- rack
- >=3.0.0, <3.0.4.2 → Upgrade to 3.0.4.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://security.netapp.com/advisory/ntap-20231208-0015/
- https://github.com/rack/rack
- https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
- https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml
- https://security.netapp.com/advisory/ntap-20231208-0015
- https://osv.dev/vulnerability/GHSA-3h57-hmj3-gj3p
- https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
- https://www.debian.org/security/2023/dsa-5530
- https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
What are Similar Vulnerabilities to CVE-2023-27530?
Similar Vulnerabilities: CVE-2025-61771 , CVE-2022-26138 , CVE-2018-3741 , CVE-2016-6582 , CVE-2013-0333
