CVE-2025-59830

High CVSS: 7.5

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

Vendor

Rack

Product

Rack

CWE

CWE-400

Yayın Tarihi

2025-09-25 15:16:13

Güncelleme

2025-10-10 16:43:14

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-400 Rack HIGH Rack 2025

Referanslar

https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71 https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

Benzer Kayıtlar

Medium

CVE-2026-34835

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack…

Medium

CVE-2026-25500

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an…

High

CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check…

High

CVE-2025-61919

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the…

Medium

CVE-2025-61780

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclos…

High

CVE-2025-61771

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser`…