VYPR
High severityNVD Advisory· Published Oct 10, 2025· Updated Oct 10, 2025

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

CVE-2025-61919

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using query_parser.bytesize_limit, preventing unbounded reads of application/x-www-form-urlencoded bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx client_max_body_size, Apache LimitRequestBody).

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rackRubyGems
< 2.2.202.2.20
rackRubyGems
>= 3.0, < 3.1.183.1.18
rackRubyGems
>= 3.2, < 3.2.33.2.3

Affected products

85

Patches

Vulnerability mechanics

References

7

News mentions

0

No linked articles in our index yet.