CVE-2023-27530 — Rack DoS HIGH
🔴 CISA KEV
ruby
CVSS 7.5 · rack < 3.0.4 → 3.0.11
Rack's multipart parser does not limit the number of parameters it processes, allowing an attacker to send a crafted multipart request with a huge number of parts and exhaust server memory or CPU. Any Rack-based application (Rails, Sinatra) that accepts file uploads or form submissions is vulnerable.
What's affected
| Package | Ecosystem | Vulnerable | Safe version | Fix guide |
|---|---|---|---|---|
| rack | ruby | < 3.0.4 | 3.0.11 | Full fix guide → |
How to fix CVE-2023-27530
- Update rack to 3.0.4 or later (3.0.11 recommended)
- Run bundle install
- Consider adding request size limits in your web server config
✓ Verify with PackageFix
Paste your manifest into PackageFix to confirm the fix was applied. If CVE-2023-27530 no longer appears in the CVE table, you're clean.
Paste your manifest — get back a fixed version with all CVEs patched in seconds.
Open PackageFix →No signup · No CLI · No GitHub · Runs 100% in your browser
Frequently Asked Questions
Does this affect all Rails applications?
Yes — Rails runs on Rack. Any Rails app accepting multipart form submissions or file uploads is vulnerable to CVE-2023-27530 if running rack < 3.0.4.
Is rack on CISA KEV?
Yes — CISA added rack to the Known Exploited Vulnerabilities catalog. The multipart DoS is being actively used against Rails applications.
What's the temporary mitigation?
Set a request body size limit in your nginx or Apache config while you update. In nginx: client_max_body_size 10m;. Update rack as soon as possible.