Moderate severityNVD Advisory· Published Jul 26, 2015· Updated Jun 17, 2026
CVE-2015-3225
CVE-2015-3225
Description
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rackRubyGems | >= 1.5.0, < 1.5.4 | 1.5.4 |
rackRubyGems | >= 1.6.0, < 1.6.2 | 1.6.2 |
rackRubyGems | >= 1.4.0, < 1.4.6 | 1.4.6 |
Affected products
23- ghsa-coords16 versionspkg:gem/rackpkg:rpm/opensuse/ruby3.2-rubygem-rack-2.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/ruby3.2-rubygem-rack&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-rack-2.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-rack&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Enterprise%20Storage%201.0pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Enterprise%20Storage%202pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Lifecycle%20Management%20Server%201.3pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Containers%2012pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP3pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP4pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20Studio%20Onsite%201.3pkg:rpm/suse/rubygem-rack-1_4&distro=SUSE%20WebYast%201.3pkg:rpm/suse/rubygem-rack&distro=SUSE%20Lifecycle%20Management%20Server%201.3pkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20Software%20Development%20Kit%2011%20SP3pkg:rpm/suse/rubygem-rack&distro=SUSE%20OpenStack%20Cloud%205
>= 1.5.0, < 1.5.4+ 15 more
- (no CPE)range: >= 1.5.0, < 1.5.4
- (no CPE)range: < 2.2.7-1.1
- (no CPE)range: < 3.0.7-1.2
- (no CPE)range: < 2.2.4-1.1
- (no CPE)range: < 2.2.3.1-1.1
- (no CPE)range: < 1.4.5-8.10
- (no CPE)range: < 1.4.5-8.10
- (no CPE)range: < 1.4.5-0.7.3
- (no CPE)range: < 1.4.5-8.10
- (no CPE)range: < 1.4.5-0.7.3
- (no CPE)range: < 1.4.5-0.7.3
- (no CPE)range: < 1.4.5-0.7.3
- (no CPE)range: < 1.4.5-0.7.3
- (no CPE)range: < 1.1.6-0.11.2
- (no CPE)range: < 1.1.6-0.11.2
- (no CPE)range: < 1.5.2-9.6
Patches
Vulnerability mechanics
References
15- github.com/rack/rack/blob/master/HISTORY.mdnvdIssue TrackingPatchVendor AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-07/msg00040.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-07/msg00043.htmlnvdThird Party AdvisoryWEB
- lists.opensuse.org/opensuse-updates/2015-07/msg00044.htmlnvdThird Party AdvisoryWEB
- openwall.com/lists/oss-security/2015/06/16/14nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-rgr4-9jh5-j4j6ghsaADVISORY
- groups.google.com/forum/message/rawnvdMailing ListThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2015-3225ghsaADVISORY
- lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.htmlnvdWEB
- lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.htmlnvdWEB
- rhn.redhat.com/errata/RHSA-2015-2290.htmlnvdWEB
- www.debian.org/security/2015/dsa-3322nvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2015-3225.ymlghsaWEB
- groups.google.com/forum/ghsaWEB
- www.securityfocus.com/bid/75232nvd
News mentions
0No linked articles in our index yet.