CVE-2025-61919Uncontrolled Resource Consumption in Rack

CWE-400Uncontrolled Resource Consumption9 documents7 sources
Severity
7.5HIGHNVD
EPSS
0.2%
top 55.22%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Rack
Timeline
PublishedOct 10
Latest updateJan 14

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

CVEListV5rack/rack< 2.2.20+2
NVDrack/rack3.0.03.1.18+2
RubyGemsrack/rack3.03.1.18+2

Patches

Patch: github.comPatch: github.comPatch: github.com

🔴Vulnerability Details

5
OSV
ruby-rack vulnerabilities2026-01-14
OSV
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing2025-10-10
OSV
CVE-2025-61919: Rack is a modular Ruby web server interface2025-10-10
GHSA
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing2025-10-10
CVEList
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing2025-10-10

📋Vendor Advisories

3
Ubuntu
Rack vulnerabilities2026-01-14
Red Hat
rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion2025-10-10
Debian
CVE-2025-61919: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, a...2025
CVE-2025-61919 — Uncontrolled Resource Consumption | cvebase