CVE-2025-61919

EPSS 0.28%
Veröffentlicht 10.10.2025 19:22:42
Zuletzt bearbeitet 03.11.2025 19:28:04
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).

Betroffene Produkte Warnungen 0 Metriken 2 CWE 1 Referenzen 7

NVD 3 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Rack ≫ Rack SwPlatformruby Version < 2.2.20

Rack ≫ Rack SwPlatformruby Version >= 3.0.0 < 3.1.18

Rack ≫ Rack SwPlatformruby Version >= 3.2.0 < 3.2.3

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	0.28%	0.516

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	7.5	3.9	3.6	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE-400 Uncontrolled Resource Consumption

The product does not properly control the allocation and maintenance of a limited resource, thereby enabling an actor to influence the amount of resources consumed, eventually leading to the exhaustion of available resources.

https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

Third Party Advisory

Mitigation

https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

Patch

https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

Patch

https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

Patch

https://nvd.nist.gov/vuln/detail/CVE-2025-61919

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2025-61919

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2025-61919

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2025-61919