CVE-2025-59830

EPSS 0.07%
Veröffentlicht 25.09.2025 15:16:13
Zuletzt bearbeitet 10.10.2025 16:43:14
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

Betroffene Produkte Warnungen 0 Metriken 2 CWE 2 Referenzen 5

Verknüpft mit AI von unstrukturierten Daten zu bestehenden CPE der NVD

Diese Information steht angemeldeten Benutzern zur Verfügung.

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rack ≫ Rack SwPlatformruby Version < 2.2.18

Zu dieser CVE wurde keine CISA KEV oder CERT.AT-Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.07%	0.206

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

CWE-770 Allocation of Resources Without Limits or Throttling

The product allocates a reusable resource or group of resources on behalf of an actor without imposing any restrictions on the size or number of resources that can be allocated, in violation of the intended security policy for that actor.

https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71

Patch

https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

Vendor Advisory

Mitigation

https://nvd.nist.gov/vuln/detail/CVE-2025-59830

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-59830

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-59830

EUVD