GHSA-gh9q-2xrm-x6qv

Опубликовано: 03 мар. 2025

Источник: github

Github: Прошло ревью

CVSS4: 6.3

CVSS3: 5.8

Описание

CGI has Denial of Service (DoS) potential in Cookie.parse

There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.

Details

CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.

Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

Credits

Thanks to lio346 for discovering this issue. Also thanks to mame for fixing this vulnerability.

Ссылки

Пакеты

Наименование

cgi

rubygems

Затронутые версииВерсия исправления

< 0.3.5.1

0.3.5.1

Наименование

cgi

rubygems

Затронутые версииВерсия исправления

= 0.3.6

0.3.7

Наименование

cgi

rubygems

Затронутые версииВерсия исправления

>= 0.4.0, < 0.4.2

0.4.2

EPSS

Процентиль: 38%

0.00163

Низкий

6.3 Medium

CVSS4

5.8 Medium

CVSS3

CVE ID

CVE-2025-27219

Дефекты

CWE-400

CWE-770

Связанные уязвимости

CVE-2025-27219

CVSS3: 5.8

ubuntu

4 месяца назад

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.

CVE-2025-27219

CVSS3: 5.3

redhat

4 месяца назад

CVE-2025-27219

CVSS3: 5.8

nvd

4 месяца назад

CVE-2025-27219

CVSS3: 7.5

msrc

3 месяца назад

Описание отсутствует

CVE-2025-27219

CVSS3: 5.8

debian

4 месяца назад

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in ...

EPSS

Процентиль: 38%

0.00163

Низкий

6.3 Medium

CVSS4

5.8 Medium

CVSS3

CVE ID

CVE-2025-27219

Дефекты

CWE-400

CWE-770