CVE-2025-46727
published 2025-05-07CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.91%
55.5th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
Affected
22 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 2.2.20-0+deb12u1 (bookworm) | ruby-rack 2.2.20-0+deb12u1 (bookworm) |
| msrc | azl3_kernel_6.6.104.2-4_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.112.1-2_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.117.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.119.3-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.119.3-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.121.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.126.1-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.130.1-3_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-1_on_azure_linux_3.0 | — | — |
| msrc | azl3_kernel_6.6.96.2-2_on_azure_linux_3.0 | — | — |
| msrc | cbl2_kernel_5.15.186.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.200.1-1_on_cbl_mariner_2.0 | — | — |
| msrc | cbl2_kernel_5.15.202.1-1_on_cbl_mariner_2.0 | — | — |
| rack | rack | < 2.2.14 | 2.2.14 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.14 | 2.2.14 |
| rack | rack | >= 3.0 < 3.0.16 | 3.0.16 |
| rack | rack | >= 3.0.0 < 3.0.16 | 3.0.16 |
| rack | rack | >= 3.1 < 3.1.14 | 3.1.14 |
| rack | rack | >= 3.1.0 < 3.1.14 | 3.1.14 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_oracle7.5HIGH
vendor_redhat7.5HIGH
vendor_msrc5.5MEDIUM
vendor_ubuntu4.2MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Oracle
Oracle Oracle Communications Risk Matrix: Core (Rack) — CVE-2025-46727
vendor_oracle·2026-01-15·CVSS 7.5
CVE-2025-46727 [HIGH] Oracle Oracle Communications Risk Matrix: Core (Rack) — CVE-2025-46727
Oracle Oracle Communications Risk Matrix: Core (Rack) vulnerability
CVE: CVE-2025-46727
CVSS: 7.5
Protocol: HTTP
Remote exploit: Yes
Affected versions: Network
Advisory: cpujan2026 (JAN 2026)
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2025-05-12·CVSS 4.2
CVE-2025-32441 [MEDIUM] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Rack could be made to crash or allow unintended access to network services.
It was discovered that Rack incorrectly handled deleted rack sessions. An
attacker could possibly use this issue to expose sensitive information or
to gain unauthorized access to user accounts. (CVE-2025-32441)
It was discovered that Rack incorrectly limited the number of parameters
in a web request. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. (CVE-2025-46727)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser
vendor_redhat·2025-05-07·CVSS 7.5
CVE-2025-46727 [HIGH] CWE-400 rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser
rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by
Debian
CVE-2025-46727: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, a...
vendor_debian·2025·CVSS 7.5
CVE-2025-46727 [HIGH] CVE-2025-46727: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause
Microsoft
drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update
vendor_msrc·2024-09-10·CVSS 5.5
CVE-2024-46727 [MEDIUM] CWE-476 drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update
drm/amd/display: Add otg_master NULL check within resource_log_pipe_topology_update
FAQ: Is Azure Linux the only Microsoft product that includes this open-source library and is therefore potentially affected by this vulnerability?
One of the main benefits to our customers who choose to use the Azure Linux distro is the commitment to keep it up to date with the most recent and most secure versions of the open source libraries with which the distro is composed. Microsoft is committed to transparency in this work which is why we began publishing CSAF/VEX in October 2025. See this blog post for more information. If impact to additional products is identified, we will update the CVE to reflect this.
Mariner: Mariner
Linux: Linux
Customer Action Required: Yes
OSV
ruby-rack vulnerabilities
osv·2025-05-12·CVSS 4.2
CVE-2025-32441 [MEDIUM] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly handled deleted rack sessions. An
attacker could possibly use this issue to expose sensitive information or
to gain unauthorized access to user accounts. (CVE-2025-32441)
It was discovered that Rack incorrectly limited the number of parameters
in a web request. An attacker could possibly use this issue to cause a
denial of service. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04
LTS, Ubuntu 24.04 LTS, Ubuntu 24.10, and Ubuntu 25.04. (CVE-2025-46727)
OSV
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
osv·2025-05-08
CVE-2025-46727 [HIGH] Rack has an Unbounded-Parameter DoS in Rack::QueryParser
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
## Summary
`Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.
## Details
The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.
## Impact
An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can ca
GHSA
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
ghsa·2025-05-08
CVE-2025-46727 [HIGH] CWE-400 Rack has an Unbounded-Parameter DoS in Rack::QueryParser
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
## Summary
`Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.
## Details
The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.
## Impact
An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can ca
OSV
CVE-2025-46727: Rack is a modular Ruby web server interface
osv·2025-05-07·CVSS 7.5
CVE-2025-46727 [HIGH] CVE-2025-46727: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2025-05-07
Published