Limit amount of retained data when parsing multipart requests

jeremyevans · ioquatix · commit 3beacfcd494e · 2025-10-07T14:43:28.000+13:00
The limit is 16MB by default, and it can be adjusted with the
RACK_MULTIPART_MAX_BUFFERED_UPLOAD_SIZE environment variable.

Data stored in temporary files is not counted against this limit.
However data for other parameters, as well as the data for the
mime headers for each parameter (which is retained during parsing)
is counted against the limit.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -7,6 +7,7 @@ All notable changes to this project will be documented in this file. For info on
 ### Security
 
 - [CVE-2025-61772](https://github.com/advisories/GHSA-wpv5-97wm-hp9c) Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
+- [CVE-2025-61771](https://github.com/advisories/GHSA-w9pc-fmgc-vxvw) Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
 - [CVE-2025-61770](https://github.com/advisories/GHSA-p543-xpfm-54cp) Unbounded multipart preamble buffering enables DoS (memory exhaustion)
 
 ## [3.2.1] -- 2025-09-02
diff --git a/README.md b/README.md
@@ -230,6 +230,14 @@ query string, before attempting parsing, so if the same parameter key is
 used multiple times in the query, each counts as a separate parameter for
 this check.
 
+### `RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT`
+
+This environment variable sets the maximum amount of memory Rack will use
+to buffer multipart parameters when parsing a request body. This considers
+the size of the multipart mime headers and the body part for multipart
+parameters that are buffered in memory and do not use tempfiles. This
+defaults to 16MB if not provided.
+
 ### `param_depth_limit`
 
 ```ruby
diff --git a/lib/rack/multipart/parser.rb b/lib/rack/multipart/parser.rb
@@ -65,6 +65,21 @@ class Parser
       MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
       private_constant :MIME_HEADER_BYTESIZE_LIMIT
 
+      env_int = lambda do |key, val|
+        if str_val = ENV[key]
+          begin
+            val = Integer(str_val, 10)
+          rescue ArgumentError
+            raise ArgumentError, "non-integer value provided for environment variable #{key}"
+          end
+        end
+
+        val
+      end
+
+      BUFFERED_UPLOAD_BYTESIZE_LIMIT = env_int.call("RACK_MULTIPART_BUFFERED_UPLOAD_BYTESIZE_LIMIT", 16 * 1024 * 1024)
+      private_constant :BUFFERED_UPLOAD_BYTESIZE_LIMIT
+
       class BoundedIO # :nodoc:
         def initialize(io, content_length)
           @io             = io
@@ -224,6 +239,8 @@ def initialize(boundary, tempfile, bufsize, query_parser)
 
         @state = :FAST_FORWARD
         @mime_index = 0
+        @body_retained = nil
+        @retained_size = 0
         @collector = Collector.new tempfile
 
         @sbuf = StringScanner.new("".dup)
@@ -420,6 +437,15 @@ def handle_mime_head
             name = filename || "#{content_type || TEXT_PLAIN}[]".dup
           end
 
+          # Mime part head data is retained for both TempfilePart and BufferPart
+          # for the entireity of the parse, even though it isn't used for BufferPart.
+          update_retained_size(head.bytesize)
+
+          # If a filename is given, a TempfilePart will be used, so the body will
+          # not be buffered in memory. However, if a filename is not given, a BufferPart
+          # will be used, and the body will be buffered in memory.
+          @body_retained = !filename
+
           @collector.on_mime_head @mime_index, head, filename, content_type, name
           @state = :MIME_BODY
         else
@@ -434,6 +460,7 @@ def handle_mime_head
       def handle_mime_body
         if (body_with_boundary = @sbuf.check_until(@body_regex)) # check but do not advance the pointer yet
           body = body_with_boundary.sub(@body_regex_at_end, '') # remove the boundary from the string
+          update_retained_size(body.bytesize) if @body_retained
           @collector.on_mime_body @mime_index, body
           @sbuf.pos += body.length + 2 # skip \r\n after the content
           @state = :CONSUME_TOKEN
@@ -442,14 +469,23 @@ def handle_mime_body
           # Save what we have so far
           if @rx_max_size < @sbuf.rest_size
             delta = @sbuf.rest_size - @rx_max_size
-            @collector.on_mime_body @mime_index, @sbuf.peek(delta)
+            body = @sbuf.peek(delta)
+            update_retained_size(body.bytesize) if @body_retained
+            @collector.on_mime_body @mime_index, body
             @sbuf.pos += delta
             @sbuf.string = @sbuf.rest
           end
           :want_read
         end
       end
 
+      def update_retained_size(size)
+        @retained_size += size
+        if @retained_size > BUFFERED_UPLOAD_BYTESIZE_LIMIT
+          raise Error, "multipart data over retained size limit"
+        end
+      end
+
       # Scan until the we find the start or end of the boundary.
       # If we find it, return the appropriate symbol for the start or
       # end of the boundary.  If we don't find the start or end of the
diff --git a/test/spec_multipart.rb b/test/spec_multipart.rb
@@ -294,6 +294,108 @@ def rd.rewind; end
     wr.close
   end
 
+  it "rejects excessive buffered mime data size in a single parameter" do
+    rd, wr = IO.pipe
+    def rd.rewind; end
+    wr.sync = true
+
+    thr = Thread.new do
+      wr.write("--AaB03x")
+      wr.write("\r\n")
+      wr.write('content-disposition: form-data; name="a"')
+      wr.write("\r\n")
+      wr.write("content-type: text/plain\r\n")
+      wr.write("\r\n")
+      wr.write("0" * 17 * 1024 * 1024)
+      wr.write("--AaB03x--\r\n")
+      wr.close
+      true
+    end
+
+    fixture = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => (18 * 1024 * 1024).to_s,
+      :input => rd,
+    }
+
+    env = Rack::MockRequest.env_for '/', fixture
+    lambda {
+      Rack::Multipart.parse_multipart(env)
+    }.must_raise(Rack::Multipart::Error).message.must_equal "multipart data over retained size limit"
+    rd.close
+
+    thr.value.must_equal true
+    wr.close
+  end
+
+  it "rejects excessive buffered mime data size when split into multiple parameters" do
+    rd, wr = IO.pipe
+    def rd.rewind; end
+    wr.sync = true
+
+    thr = Thread.new do
+      4.times do |i|
+        wr.write("\r\n--AaB03x")
+        wr.write("\r\n")
+        wr.write("content-disposition: form-data; name=\"a#{i}\"")
+        wr.write("\r\n")
+        wr.write("content-type: text/plain\r\n")
+        wr.write("\r\n")
+        wr.write("0" * 4 * 1024 * 1024)
+      end
+      wr.write("\r\n--AaB03x--\r\n")
+      wr.close
+      true
+    end
+
+    fixture = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => (17 * 1024 * 1024).to_s,
+      :input => rd,
+    }
+
+    env = Rack::MockRequest.env_for '/', fixture
+    lambda {
+  p    Rack::Multipart.parse_multipart(env).keys
+    }.must_raise(Rack::Multipart::Error).message.must_equal "multipart data over retained size limit"
+    rd.close
+
+    thr.value.must_equal true
+    wr.close
+  end
+
+  it "allows large nonbuffered mime parameters" do
+    rd, wr = IO.pipe
+    def rd.rewind; end
+    wr.sync = true
+
+    thr = Thread.new do
+      wr.write("\r\n\r\n--AaB03x")
+      wr.write("\r\n")
+      wr.write('content-disposition: form-data; name="a"; filename="a.txt"')
+      wr.write("\r\n")
+      wr.write("content-type: text/plain\r\n")
+      wr.write("\r\n")
+      wr.write("0" * 16 * 1024 * 1024)
+      wr.write("\r\n--AaB03x--\r\n")
+      wr.close
+      true
+    end
+
+    fixture = {
+      "CONTENT_TYPE" => "multipart/form-data; boundary=AaB03x",
+      "CONTENT_LENGTH" => (17 * 1024 * 1024).to_s,
+      :input => rd,
+    }
+
+    env = Rack::MockRequest.env_for '/', fixture
+    Rack::Multipart.parse_multipart(env)['a'][:tempfile].read.bytesize.must_equal(16 * 1024 * 1024)
+    rd.close
+
+    thr.value.must_equal true
+    wr.close
+  end
+
   # see https://github.com/rack/rack/pull/1309
   it "parses strange multipart pdf" do
     boundary = '---------------------------932620571087722842402766118'
