CVE-2025-46727Uncontrolled Resource Consumption in Rack

CWE-400Uncontrolled Resource ConsumptionCWE-770Allocation of Resources Without Limits or ThrottlingCWE-476NULL Pointer Dereference10 documents8 sources
Severity
7.5HIGHNVD
OSV4.2
EPSS
0.8%
top 25.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
15
RackDebian Ruby-rackMsrc Azl3 Kernel 6.6.104.2-4 ON Azure Linux 3.0+12 more
Timeline
PublishedMay 7
Latest updateJan 15

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages17 packages

debiandebian/ruby-rack< ruby-rack 2.2.20-0+deb12u1 (bookworm)
NVDrack/rack3.0.03.0.16+2
RubyGemsrack/rack3.03.0.16+2
CVEListV5rack/rack>= 3.0, < 3.0.16, >= 3.1, < 3.1.14+1

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

4
OSV
ruby-rack vulnerabilities2025-05-12
OSV
Rack has an Unbounded-Parameter DoS in Rack::QueryParser2025-05-08
GHSA
Rack has an Unbounded-Parameter DoS in Rack::QueryParser2025-05-08
OSV
CVE-2025-46727: Rack is a modular Ruby web server interface2025-05-07

📋Vendor Advisories

5
Oracle
Oracle Oracle Communications Risk Matrix: Core (Rack) — CVE-2025-467272026-01-15
Ubuntu
Rack vulnerabilities2025-05-12
Red Hat
rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser2025-05-07
Debian
CVE-2025-46727: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, a...2025
Microsoft
drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update2024-09-10