apk package
chainguard/ruby3.2-rails-8.0-compat
pkg:apk/chainguard/ruby3.2-rails-8.0-compat
Vulnerabilities (13)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2025-61919 | — | < 8.0.3-r2 | 8.0.3-r2 | Oct 10, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large | ||
| CVE-2025-61780 | — | < 8.0.3-r2 | 8.0.3-r2 | Oct 10, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca | ||
| CVE-2025-61772 | — | < 8.0.3-r1 | 8.0.3-r1 | Oct 7, 2025 | Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin | ||
| CVE-2025-61771 | — | < 8.0.3-r1 | 8.0.3-r1 | Oct 7, 2025 | Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request | ||
| CVE-2025-61770 | — | < 8.0.3-r1 | 8.0.3-r1 | Oct 7, 2025 | Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid | ||
| CVE-2025-54314 | Low | 2.8 | < 8.0.2-r7 | 8.0.2-r7 | Jul 20, 2025 | Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments." | |
| CVE-2025-49007 | — | < 8.0.2-r5 | 8.0.2-r5 | Jun 4, 2025 | Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully craft | ||
| CVE-2025-46336 | Med | 4.2 | < 8.0.2-r4 | 8.0.2-r4 | May 8, 2025 | Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attack | |
| CVE-2025-46727 | — | < 8.0.2-r4 | 8.0.2-r4 | May 7, 2025 | Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers | ||
| CVE-2025-27610 | — | < 8.0.2-r0 | 8.0.2-r0 | Mar 10, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu | ||
| CVE-2025-27221 | — | < 8.0.1-r3 | 8.0.1-r3 | Mar 3, 2025 | In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host. | ||
| CVE-2025-25184 | — | < 8.0.1-r2 | 8.0.1-r2 | Feb 12, 2025 | Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting | ||
| CVE-2025-25186 | Med | 6.5 | < 8.0.1-r2 | 8.0.1-r2 | Feb 10, 2025 | Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi |
- CVE-2025-61919Oct 10, 2025affected < 8.0.3-r2fixed 8.0.3-r2
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large
- CVE-2025-61780Oct 10, 2025affected < 8.0.3-r2fixed 8.0.3-r2
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca
- CVE-2025-61772Oct 7, 2025affected < 8.0.3-r1fixed 8.0.3-r1
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin
- CVE-2025-61771Oct 7, 2025affected < 8.0.3-r1fixed 8.0.3-r1
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request
- CVE-2025-61770Oct 7, 2025affected < 8.0.3-r1fixed 8.0.3-r1
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid
- affected < 8.0.2-r7fixed 8.0.2-r7
Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."
- CVE-2025-49007Jun 4, 2025affected < 8.0.2-r5fixed 8.0.2-r5
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully craft
- affected < 8.0.2-r4fixed 8.0.2-r4
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attack
- CVE-2025-46727May 7, 2025affected < 8.0.2-r4fixed 8.0.2-r4
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers
- CVE-2025-27610Mar 10, 2025affected < 8.0.2-r0fixed 8.0.2-r0
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu
- CVE-2025-27221Mar 3, 2025affected < 8.0.1-r3fixed 8.0.1-r3
In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.
- CVE-2025-25184Feb 12, 2025affected < 8.0.1-r2fixed 8.0.1-r2
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting
- affected < 8.0.1-r2fixed 8.0.1-r2
Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi