Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

nvd логотип

CVE-2025-61771

Опубликовано: 07 окт. 2025
Источник: nvd
CVSS3: 7.5
EPSS Низкий

Описание

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parserstores non-file form fields (parts without afilename) entirely in memory as Ruby Stringobjects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginxclient_max_body_size`) and validating and rejecting unusually large form fields at t

Ссылки

Уязвимые конфигурации

Конфигурация 1

Одно из

cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
Версия до 2.2.19 (исключая)
cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
Версия от 3.1.0 (включая) до 3.1.17 (исключая)
cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
Версия от 3.2.0 (включая) до 3.2.2 (исключая)

EPSS

Процентиль: 17%
0.00056
Низкий

7.5 High

CVSS3

Дефекты

CWE-400

Связанные уязвимости

ubuntu логотип

CVE-2025-61771

CVSS3: 7.5
ubuntu
около 2 месяцев назад

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginx `client_max_body_size`) and validating and rejecting unusually large form fields a...

debian логотип

CVE-2025-61771

CVSS3: 7.5
debian
около 2 месяцев назад

Rack is a modular Ruby web server interface. In versions prior to 2.2. ...

github логотип

GHSA-w9pc-fmgc-vxvw

CVSS3: 7.5
github
около 2 месяцев назад

Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

fstec логотип

BDU:2025-13876

CVSS3: 7.5
fstec
около 2 месяцев назад

Уязвимость класса Rack::Multipart::Parser модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю вызвать отказ в обслуживании

redos логотип

ROS-20251106-03

CVSS3: 7.5
redos
25 дней назад

Множественные уязвимости rubygem-rack

EPSS

Процентиль: 17%
0.00056
Низкий

7.5 High

CVSS3

Дефекты

CWE-400