CVE-2025-59830
published 2025-09-25CVE-2025-59830: Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while…
PriorityP344high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.53%
41.0th percentile
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
Affected
3 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 2.2.20-0+deb12u1 (bookworm) | ruby-rack 2.2.20-0+deb12u1 (bookworm) |
| rack | rack | < 2.2.18 | 2.2.18 |
| rack | rack | >= 0 < 2.2.18 | 2.2.18 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-01-14·CVSS 7.5
CVE-2025-61771 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)
It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)
It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of serv
Ubuntu
Rack vulnerability
vendor_ubuntu·2025-09-29
CVE-2025-59830 Rack vulnerability
Title: Rack vulnerability
Summary: Rack could be made to crash if it received specially crafted network
traffic.
It was discovered that Rack incorrectly handled limiting the amount of
parameters. An attacker could possibly use this issue to bypass the
params_limit value, leading to a denial of service.
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters
vendor_redhat·2025-09-25·CVSS 7.5
CVE-2025-59830 [HIGH] CWE-770 rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters
rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
An unsafe default behavior in Rack::QueryParser allows bypass of the params_limit pa
Debian
CVE-2025-59830: ruby-rack - Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::Quer...
vendor_debian·2025·CVSS 7.5
CVE-2025-59830 [HIGH] CVE-2025-59830: ruby-rack - Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::Quer...
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
Scope: local
bookworm: resolved (fixed in 2.2.20-0+deb12u1)
bullseye: resolved (fixed in 2.1.4-3+deb11u4)
forky: resolved (fixed in 3.0.8-2)
sid: resolved (fixed in 3.0.8-2)
trixie: resolved (fixed in 3.
OSV
ruby-rack vulnerabilities
osv·2026-01-14·CVSS 7.5
CVE-2025-59830 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)
It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)
It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of service. This issue was only addressed in Ubuntu
22.04 LTS,
OSV
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
osv·2025-09-25
CVE-2025-59830 [HIGH] Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
## Summary
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.
## Details
The issue arises because `Rack::QueryParser#check_query_string` counts only `&` characters when determining the number of parameters, but the default separator regex `DEFAULT_SEP = /[&;] */n` splits on both `&` and `;`. This mismatch means that queries using `;` separators were not included in the parameter count, allowing `params_limit` to be bypassed.
Other safeguards (`bytesize_li
OSV
CVE-2025-59830: Rack is a modular Ruby web server interface
osv·2025-09-25·CVSS 7.5
CVE-2025-59830 [HIGH] CVE-2025-59830: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
GHSA
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
ghsa·2025-09-25
CVE-2025-59830 [HIGH] CWE-400 Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
## Summary
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.
## Details
The issue arises because `Rack::QueryParser#check_query_string` counts only `&` characters when determining the number of parameters, but the default separator regex `DEFAULT_SEP = /[&;] */n` splits on both `&` and `;`. This mismatch means that queries using `;` separators were not included in the parameter count, allowing `params_limit` to be bypassed.
Other safeguards (`bytesize_li
No detection rules found.
No public exploits indexed.
2025-09-25
Published