VYPR

apk package

wolfi/ruby3.2-rails-8.0-compat

pkg:apk/wolfi/ruby3.2-rails-8.0-compat

Vulnerabilities (13)

  • CVE-2025-61919Oct 10, 2025
    affected < 8.0.3-r2fixed 8.0.3-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large

  • CVE-2025-61780Oct 10, 2025
    affected < 8.0.3-r2fixed 8.0.3-r2

    Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could ca

  • CVE-2025-61772Oct 7, 2025
    affected < 8.0.3-r1fixed 8.0.3-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incomin

  • CVE-2025-61771Oct 7, 2025
    affected < 8.0.3-r1fixed 8.0.3-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request

  • CVE-2025-61770Oct 7, 2025
    affected < 8.0.3-r1fixed 8.0.3-r1

    Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid

  • CVE-2025-54314LowJul 20, 2025
    affected < 8.0.2-r7fixed 8.0.2-r7

    Thor before 1.4.0 can construct an unsafe shell command from library input. NOTE: this is disputed by the Supplier because "the method that was fixed can only be used with arguments that are controlled by Thor, and there is no way an attacker can take control of those arguments."

  • CVE-2025-49007Jun 4, 2025
    affected < 8.0.2-r5fixed 8.0.2-r5

    Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully craft

  • CVE-2025-46336MedMay 8, 2025
    affected < 8.0.2-r4fixed 8.0.2-r4

    Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attack

  • CVE-2025-46727May 7, 2025
    affected < 8.0.2-r4fixed 8.0.2-r4

    Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers

  • CVE-2025-27610Mar 10, 2025
    affected < 8.0.2-r0fixed 8.0.2-r0

    Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vu

  • CVE-2025-27221Mar 3, 2025
    affected < 8.0.1-r3fixed 8.0.1-r3

    In the URI gem before 1.0.3 for Ruby, the URI handling methods (URI.join, URI#merge, URI#+) have an inadvertent leakage of authentication credentials because userinfo is retained even after changing the host.

  • CVE-2025-25184Feb 12, 2025
    affected < 8.0.1-r2fixed 8.0.1-r2

    Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting

  • CVE-2025-25186MedFeb 10, 2025
    affected < 8.0.1-r2fixed 8.0.1-r2

    Net::IMAP implements Internet Message Access Protocol (IMAP) client functionality in Ruby. Starting in version 0.3.2 and prior to versions 0.3.8, 0.4.19, and 0.5.6, there is a possibility for denial of service by memory exhaustion in `net-imap`'s response parser. At any time whi