VYPR
High severityNVD Advisory· Published Sep 25, 2025· Updated Sep 25, 2025

Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

CVE-2025-59830

Description

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rackRubyGems
< 2.2.182.2.18

Affected products

15

Patches

Vulnerability mechanics

References

4

News mentions

0

No linked articles in our index yet.