+ "details": "## Summary\n\n`Rack::Utils.get_byte_ranges` parses the HTTP `Range` header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as `0-0,0-0,0-0,...` to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request.\n\nThis results in a denial of service condition in Rack file-serving paths that process multipart byte range responses.\n\n## Details\n\n`Rack::Utils.get_byte_ranges` accepts a comma-separated list of byte ranges and validates them based on their aggregate size, but does not impose a limit on how many individual ranges may be supplied.\n\nAs a result, a request such as:\n\n```http\nRange: bytes=0-0,0-0,0-0,0-0,...\n```\n\ncan contain thousands of overlapping one-byte ranges while still satisfying the total-size check added for CVE-2024-26141.\n\nWhen such a header is processed by Rack’s file-serving code, each range causes additional work, including multipart response generation, per-range iteration, file seek and read operations, and temporary string allocation for response size calculation and output. This allows a relatively small request header to trigger disproportionately expensive processing and a much larger multipart response.\n\nThe issue is distinct from CVE-2024-26141. That fix prevents range sets whose total byte coverage exceeds the file size, but does not prevent a large number of overlapping ranges whose summed size remains within that limit.\n\n## Impact\n\nApplications that expose file-serving paths with byte range support may be vulnerable to denial of service.\n\nAn unauthenticated attacker can send crafted `Range` headers containing many small overlapping ranges to consume excessive CPU time, memory, file I/O, and bandwidth. Repeated requests may reduce application availability and increase pressure on workers and garbage collection.\n\n## Mitigation\n\n* Update to a patched version of Rack that limits the number of accepted byte ranges.\n* Reject or normalize multipart byte range requests containing excessive range counts.\n* Consider disabling multipart range support where it is not required.\n* Apply request filtering or header restrictions at the reverse proxy or application boundary to limit abusive `Range` headers.",
![advisory-database[bot]](https://avatars.githubusercontent.com/in/21409?v=4&size=40){kind=avatar}
0 commit comments