CVE-2025-27219
published 2025-03-04CVE-2025-27219: In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method…
PriorityP339high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.78%
51.4th percentile
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
Affected
13 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby2.7 | < ruby2.7 2.7.4-1+deb11u5 (bullseye) | ruby2.7 2.7.4-1+deb11u5 (bullseye) |
| debian | ruby3.1 | < ruby2.7 2.7.4-1+deb11u5 (bullseye) | ruby2.7 2.7.4-1+deb11u5 (bullseye) |
| debian | ruby3.3 | < ruby2.7 2.7.4-1+deb11u5 (bullseye) | ruby2.7 2.7.4-1+deb11u5 (bullseye) |
| msrc | azl3_ruby_3.3.5-3_on_azure_linux_3.0 | — | — |
| msrc | cbl2_glib_2.60.1-5_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_ruby_3.1.4-9_on_cbl_mariner_2.0 | — | — |
| ruby-lang | cgi | < 0.3.5.1 | 0.3.5.1 |
| ruby-lang | cgi | — | — |
| ruby-lang | cgi | >= 0 < 0.3.5.1 | 0.3.5.1 |
| ruby-lang | cgi | >= 0.3.6 < 0.3.7 | 0.3.7 |
| ruby-lang | cgi | >= 0.3.6 < 0.3.7 | 0.3.7 |
| ruby-lang | cgi | >= 0.4.0 < 0.4.2 | 0.4.2 |
| ruby-lang | cgi | >= 0.4.0 < 0.4.2 | 0.4.2 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
ghsa7.5HIGH
osv7.5HIGH
vendor_msrc7.5HIGH
vendor_ubuntu7.5HIGH
vendor_debian5.8MEDIUM
vendor_redhat5.8MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-04-17·CVSS 7.5
CVE-2025-27220 [HIGH] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
cookies. A remote attacker could possibly use this issue to consume
resources, leading to a denial of service. (CVE-2025-27219)
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
regular expressions. A remote attacker could possibly use this issue to
consume resources, leading to a denial of service. (CVE-2025-27220)
It was discovered that the Ruby URI gem incorrectly handled certain URI
handling methods. A remote attacker could possibly use this issue to leak
authentication credentials. (CVE-2025-27221)
It was discovered that the Ruby REXML gem incorrectly handled parsing XML
documents containing many dig
Ubuntu
Ruby vulnerabilities
vendor_ubuntu·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] Ruby vulnerabilities
Title: Ruby vulnerabilities
Summary: Several security issues were fixed in Ruby.
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and
Microsoft
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of
vendor_msrc·2025-03-11·CVSS 5.3
CVE-2025-27219 [MEDIUM] CWE-770 In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSA
Red Hat
CGI: Denial of Service in CGI::Cookie.parse
vendor_redhat·2025-03-03·CVSS 5.8
CVE-2025-27219 [MEDIUM] CWE-770 CGI: Denial of Service in CGI::Cookie.parse
CGI: Denial of Service in CGI::Cookie.parse
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
A flaw was found in Ruby's CGI gem. Processing specially crafted large cookies with the CGI::Cookie.parse method can cause excessive resource consumption due to a missing limit on the length of the raw cookie value, resulting in a denial of service.
Statement: This issue will cause an excessive resource consumption, potentially resulting in a bad application performance. However, an attacker does have the ability to co
Debian
CVE-2025-27219: ruby2.7 - In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI li...
vendor_debian·2025·CVSS 5.8
CVE-2025-27219 [MEDIUM] CVE-2025-27219: ruby2.7 - In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI li...
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
Scope: local
bullseye: resolved (fixed in 2.7.4-1+deb11u5)
Microsoft
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The
vendor_msrc·2021-02-09·CVSS 7.5
CVE-2021-27219 [HIGH] CWE-681 An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The
An issue was discovered in GNOME GLib before 2.66.6 and 2.67.x before 2.67.3. The function g_bytes_new has an integer overflow on 64-bit platforms due to an implicit cast from 64 bits to 32 bits. The overflow could potentially lead to memory corruption.
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to
OSV
ruby2.3, ruby2.5 vulnerabilities
osv·2025-04-17·CVSS 6.6
CVE-2025-27219 [MEDIUM] ruby2.3, ruby2.5 vulnerabilities
ruby2.3, ruby2.5 vulnerabilities
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
cookies. A remote attacker could possibly use this issue to consume
resources, leading to a denial of service. (CVE-2025-27219)
It was discovered that the Ruby CGI gem incorrectly handled parsing certain
regular expressions. A remote attacker could possibly use this issue to
consume resources, leading to a denial of service. (CVE-2025-27220)
It was discovered that the Ruby URI gem incorrectly handled certain URI
handling methods. A remote attacker could possibly use this issue to leak
authentication credentials. (CVE-2025-27221)
It was discovered that the Ruby REXML gem incorrectly handled parsing XML
documents containing many digits in a hex numeric character reference. A
remot
OSV
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
osv·2025-04-07·CVSS 5.3
CVE-2024-35176 [MEDIUM] ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
ruby2.7, ruby3.0, ruby3.2, ruby3.3 vulnerabilities
It was discovered that Ruby incorrectly handled parsing of an XML document
that has specific XML characters in an attribute value using REXML gem. An
attacker could use this issue to cause Ruby to crash, resulting in a
denial of service. This issue only affected in Ubuntu 22.04 LTS, Ubuntu
24.04 LTS, and Ubuntu 24.10. (CVE-2024-35176, CVE-2024-39908,
CVE-2024-41123, CVE-2024-43398)
It was discovered that Ruby incorrectly handled expanding ranges in the
net-imap response parser. If a user or automated system were tricked into
connecting to a malicious IMAP server, a remote attacker could possibly use
this issue to consume memory, leading to a denial of service. This issue
only affected Ubuntu 24.04 LTS, and Ubuntu 24.10. (CVE-2025-25186)
OSV
CVE-2025-27219: In the CGI gem before 0
osv·2025-03-04·CVSS 7.5
CVE-2025-27219 [HIGH] CVE-2025-27219: In the CGI gem before 0
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
OSV
CGI has Denial of Service (DoS) potential in Cookie.parse
osv·2025-03-03·CVSS 7.5
CVE-2025-27219 [HIGH] CGI has Denial of Service (DoS) potential in Cookie.parse
CGI has Denial of Service (DoS) potential in Cookie.parse
There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
## Details
CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
## Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
## Credits
Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
GHSA
CGI has Denial of Service (DoS) potential in Cookie.parse
ghsa·2025-03-03·CVSS 7.5
CVE-2025-27219 [HIGH] CWE-400 CGI has Denial of Service (DoS) potential in Cookie.parse
CGI has Denial of Service (DoS) potential in Cookie.parse
There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
## Details
CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
## Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
## Credits
Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
No detection rules found.
No public exploits indexed.
HackerOne
[CVE-2025-27219] Denial of Service in CGI::Cookie.parse
hackerone·2025-04-27·CVSS 5.8
CVE-2025-27219 [MEDIUM] [CVE-2025-27219] Denial of Service in CGI::Cookie.parse
[CVE-2025-27219] Denial of Service in CGI::Cookie.parse
Hi, I made a report in #2936778
Advisory: https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
Details
`CGI::Cookie.parse` took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
## Impact
An attacker could make a Denial of Service vulnerability that cause service disruptions and increased costs.
There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
Bugzilla
CVE-2025-27219 CGI: Denial of Service in CGI::Cookie.parse
bugzilla·2025-03-04·CVSS 7.5
CVE-2025-27219 [HIGH] CVE-2025-27219 CGI: Denial of Service in CGI::Cookie.parse
CVE-2025-27219 CGI: Denial of Service in CGI::Cookie.parse
In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.
Discussion:
This issue has been addressed in the following products:
Red Hat Enterprise Linux 8
Via RHSA-2025:4063 https://access.redhat.com/errata/RHSA-2025:4063
---
This issue has been addressed in the following products:
Red Hat Enterprise Linux 9
Via RHSA-2025:4487 https://access.redhat.com/errata/RHSA-2025:4487
---
This issue has been addressed in the following products:
Red Hat Enterprise
2025-03-04
Published