CVE-2025-61919
published 2025-10-10CVE-2025-61919: Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for…
PriorityP343high7.5CVSS 3.1
AVNACLPRNUINSUCNINAH
EPSS
0.59%
43.8th percentile
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 2.2.20-0+deb12u1 (bookworm) | ruby-rack 2.2.20-0+deb12u1 (bookworm) |
| rack | rack | < 2.2.20 | 2.2.20 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.20 | 2.2.20 |
| rack | rack | >= 3.0 < 3.1.18 | 3.1.18 |
| rack | rack | >= 3.0.0 < 3.1.18 | 3.1.18 |
| rack | rack | >= 3.2 < 3.2.3 | 3.2.3 |
| rack | rack | >= 3.2.0 < 3.2.3 | 3.2.3 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
osv7.5HIGH
vendor_debian7.5HIGH
vendor_redhat7.5HIGH
vendor_ubuntu7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-rack vulnerabilities
osv·2026-01-14·CVSS 7.5
CVE-2025-59830 [HIGH] ruby-rack vulnerabilities
ruby-rack vulnerabilities
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)
It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)
It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of service. This issue was only addressed in Ubuntu
22.04 LTS,
OSV
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
osv·2025-10-10
CVE-2025-61919 [HIGH] Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
## Summary
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
## Details
When handling non-multipart form submissions, Rack’s request parser performs:
```ruby
form_vars = get_header(RACK_INPUT).read
```
Since `read` is called with no argument, the entire request body is loaded into a Ruby `String`. This occurs before query parameter parsing or enforcement of any `params_limit`. As a result, Rack applications with
OSV
CVE-2025-61919: Rack is a modular Ruby web server interface
osv·2025-10-10·CVSS 7.5
CVE-2025-61919 [HIGH] CVE-2025-61919: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
GHSA
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
ghsa·2025-10-10
CVE-2025-61919 [HIGH] CWE-400 Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
## Summary
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
## Details
When handling non-multipart form submissions, Rack’s request parser performs:
```ruby
form_vars = get_header(RACK_INPUT).read
```
Since `read` is called with no argument, the entire request body is loaded into a Ruby `String`. This occurs before query parameter parsing or enforcement of any `params_limit`. As a result, Rack applications with
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2026-01-14·CVSS 7.5
CVE-2025-61771 [HIGH] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)
It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)
It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of serv
Red Hat
rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion
vendor_redhat·2025-10-10·CVSS 7.5
CVE-2025-61919 [HIGH] CWE-400 rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion
rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy
Debian
CVE-2025-61919: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, a...
vendor_debian·2025·CVSS 7.5
CVE-2025-61919 [HIGH] CVE-2025-61919: ruby-rack - Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, a...
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
Scope:
No detection rules found.
No public exploits indexed.
2025-10-10
Published