Moderate severityNVD Advisory· Published Mar 3, 2025· Updated Nov 3, 2025

CVE-2025-27219

Description

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CGI::Cookie.parse in Ruby's CGI gem before 0.4.2 lacks a length limit, leading to a denial of service via resource exhaustion.

Vulnerability

The CGI gem for Ruby, versions prior to 0.4.2, contains a denial of service vulnerability in the CGI::Cookie.parse method. The method does not enforce any limit on the length of the raw cookie value it processes, allowing an attacker to send an extremely large cookie value. This lack of input size validation can cause excessive memory and CPU consumption during parsing [1][2][3][4].

Attack

Vector

The vulnerability is remotely exploitable without authentication. An attacker can craft a simple HTTP request containing an oversized cookie header. When the target application using the CGI gem processes this request, the CGI::Cookie.parse method will attempt to handle the arbitrarily large cookie value, consuming server resources [4].

Impact

Successful exploitation leads to a denial of service condition. The excessive resource consumption can slow down or crash the server, making the application unavailable to legitimate users [4].

Mitigation

The issue is fixed in CGI gem version 0.4.2. Users should upgrade to this version or later. For versions 0.3.x and 0.3.5.x, pull requests have been merged to address the issue, and backport fixes are available [1][2][3].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
cgiRubyGems	< 0.3.5.1	0.3.5.1
cgiRubyGems	>= 0.3.6, < 0.3.7	0.3.7
cgiRubyGems	>= 0.4.0, < 0.4.2	0.4.2

Affected products

Cgiirc/Cgi\llm-fuzzy
Range: <0.4.2
osv-coords85 versions
pkg:apk/chainguard/elasticsearch-8.17 pkg:apk/chainguard/jruby-9.4 pkg:apk/chainguard/jruby-9.4-default-ruby pkg:apk/chainguard/logstash-9.1-bitnami-compat pkg:apk/chainguard/logstash-9.1-iamguarded-compat pkg:apk/chainguard/logstash-9.1-with-output-opensearch pkg:apk/chainguard/ruby-3.1 pkg:apk/chainguard/ruby-3.1-base pkg:apk/chainguard/ruby-3.1-base-dev pkg:apk/chainguard/ruby-3.1-dev pkg:apk/chainguard/ruby-3.1-doc pkg:apk/chainguard/ruby-3.2 pkg:apk/chainguard/ruby-3.2-base pkg:apk/chainguard/ruby-3.2-base-dev pkg:apk/chainguard/ruby-3.2-dev pkg:apk/chainguard/ruby-3.2-doc pkg:apk/chainguard/ruby-3.4 pkg:apk/chainguard/ruby-3.4-dev pkg:apk/chainguard/ruby-3.4-doc pkg:apk/wolfi/jruby-9.4 pkg:apk/wolfi/jruby-9.4-default-ruby pkg:apk/wolfi/logstash-9.1-bitnami-compat pkg:apk/wolfi/logstash-9.1-iamguarded-compat pkg:apk/wolfi/logstash-9.1-with-output-opensearch pkg:apk/wolfi/ruby-3.1 pkg:apk/wolfi/ruby-3.1-base pkg:apk/wolfi/ruby-3.1-base-dev pkg:apk/wolfi/ruby-3.1-dev pkg:apk/wolfi/ruby-3.1-doc pkg:apk/wolfi/ruby-3.2 pkg:apk/wolfi/ruby-3.2-base pkg:apk/wolfi/ruby-3.2-base-dev pkg:apk/wolfi/ruby-3.2-dev pkg:apk/wolfi/ruby-3.2-doc pkg:apk/wolfi/ruby-3.4 pkg:apk/wolfi/ruby-3.4-dev pkg:apk/wolfi/ruby-3.4-doc pkg:gem/cgi pkg:rpm/almalinux/ruby pkg:rpm/almalinux/ruby-bundled-gems pkg:rpm/almalinux/ruby-default-gems pkg:rpm/almalinux/ruby-devel pkg:rpm/almalinux/ruby-doc pkg:rpm/almalinux/rubygem-abrt pkg:rpm/almalinux/rubygem-abrt-doc pkg:rpm/almalinux/rubygem-bigdecimal pkg:rpm/almalinux/rubygem-bundler pkg:rpm/almalinux/rubygem-io-console pkg:rpm/almalinux/rubygem-irb pkg:rpm/almalinux/rubygem-json pkg:rpm/almalinux/rubygem-minitest pkg:rpm/almalinux/rubygem-mysql2 pkg:rpm/almalinux/rubygem-mysql2-doc pkg:rpm/almalinux/rubygem-pg pkg:rpm/almalinux/rubygem-pg-doc pkg:rpm/almalinux/rubygem-power_assert pkg:rpm/almalinux/rubygem-psych pkg:rpm/almalinux/rubygem-racc pkg:rpm/almalinux/rubygem-rake pkg:rpm/almalinux/rubygem-rbs pkg:rpm/almalinux/rubygem-rdoc pkg:rpm/almalinux/rubygem-rexml pkg:rpm/almalinux/rubygem-rss pkg:rpm/almalinux/rubygems pkg:rpm/almalinux/rubygems-devel pkg:rpm/almalinux/rubygem-test-unit pkg:rpm/almalinux/rubygem-typeprof pkg:rpm/almalinux/ruby-libs pkg:rpm/opensuse/ruby2.5&distro=openSUSE%20Leap%2015.6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Enterprise%20Storage%207.1 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-ESPOS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20High%20Performance%20Computing%2015%20SP5-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP6 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Module%20for%20Basesystem%2015%20SP7 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP3-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP4-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%2015%20SP5-LTSS pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP4 pkg:rpm/suse/ruby2.5&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20Applications%2015%20SP5 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Proxy%204.3 pkg:rpm/suse/ruby2.5&distro=SUSE%20Manager%20Server%204.3
< 8.17.10-r13+ 84 more
- (no CPE)range: < 8.17.10-r13
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 9.4.14.0-r0
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 9.1.10-r3
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.1.6-r12
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.2.7-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 3.4.2-r1
- (no CPE)range: < 0.3.5.1
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.4.0-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 3.1.5-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 2.5.22-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.7.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 1.13.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 2.7.2-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 5.20.0-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 0.5.5-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 1.5.4-1.module_el8.10.0+3799+191214cc
- (no CPE)range: < 2.0.3-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 5.1.2-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 1.7.3-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 13.1.0-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.4.0-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 6.6.3.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.9-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.3.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.5.22-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.5.22-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.6.1-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 0.21.9-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 3.3.8-4.module_el8.10.0+4022+8b66723c
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150700.24.3.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
- (no CPE)range: < 2.5.9-150000.4.41.1
ruby-lang/CGIv5
Range: 0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-gh9q-2xrm-x6qvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2025-27219ghsaADVISORY
github.com/ruby/cgi/pull/52ghsaWEB
github.com/ruby/cgi/pull/53ghsaWEB
github.com/ruby/cgi/pull/54ghsaWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.ymlghsaWEB
hackerone.com/reports/2936778ghsaWEB
lists.debian.org/debian-lts-announce/2025/03/msg00008.htmlghsaWEB
www.cve.org/CVERecordghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000