Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

redhat логотип

CVE-2025-61919

Опубликовано: 10 окт. 2025
Источник: redhat
CVSS3: 7.5
EPSS Низкий

Описание

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using query_parser.bytesize_limit, preventing unbounded reads of application/x-www-form-urlencoded bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx client_max_body_size, Apache LimitRequestBody).

A memory-exhaustion vulnerability exists in Rack when parsing application/x-www-form-urlencoded request bodies. Rack::Request#POST reads the entire request body into memory without enforcing a maximum length or cap. Attackers can exploit this by sending large form submissions, potentially causing denial of service (DoS) through memory exhaustion. Even with configured parsing limits, the issue occurs before those limits are enforced, allowing unbounded memory allocation proportional to request size.

Отчет

Affectedness: Rack 1.x, including 1.6.x, is not affected by this vulnerability. The issue exists only in Rack 2.x and 3.x, where request parsing was refactored into the QueryParser component. Since Rack 1.x does not include this component, it does not contain the vulnerable logic. Ruby 2.x and 3.x versions shipped with Red Hat Enterprise Linux, Red Hat Openshift Core OS (RHOCS) and Red Hat In-Vehicle OS (RHIVOS) are not affected, as they do not bundle the rack RubyGem by default. Rack is a third-party gem that must be installed separately.

Меры по смягчению последствий

No mitigation is currently available that meets Red Hat Product Security's standards for usability, deployment, applicability, or stability beyond these configuration-based workarounds.

Затронутые пакеты

ПлатформаПакетСостояниеРекомендацияРелиз
Logging Subsystem for Red Hat OpenShiftopenshift-logging/cluster-logging-operator-bundleNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/cluster-logging-rhel9-operatorNot affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/eventrouter-rhel9Not affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/fluentd-rhel8Not affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/fluentd-rhel9Not affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/log-file-metric-exporter-rhel9Not affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/logging-view-plugin-rhel9Not affected
Logging Subsystem for Red Hat OpenShiftopenshift-logging/vector-rhel9Not affected
OpenShift Service Mesh 2openshift-service-mesh/grafana-rhel8Not affected
OpenShift Service Mesh 2openshift-service-mesh/istio-cni-rhel8Not affected

Показывать по

Ссылки на источники

Дополнительная информация

Статус:

Important
Дефект:
CWE-400
https://bugzilla.redhat.com/show_bug.cgi?id=2403180rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion

EPSS

Процентиль: 45%
0.00221
Низкий

7.5 High

CVSS3

Связанные уязвимости

ubuntu логотип

CVE-2025-61919

CVSS3: 7.5
ubuntu
6 месяцев назад

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).

nvd логотип

CVE-2025-61919

CVSS3: 7.5
nvd
6 месяцев назад

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).

debian логотип

CVE-2025-61919

CVSS3: 7.5
debian
6 месяцев назад

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, ...

github логотип

GHSA-6xw4-3v39-52mm

CVSS3: 7.5
github
6 месяцев назад

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

fstec логотип

BDU:2025-13874

CVSS3: 7.5
fstec
6 месяцев назад

Уязвимость класса Rack::Request#POST модульного интерфейса между веб-серверами и веб-приложениями Rack, позволяющая нарушителю вызвать отказ в обслуживании

EPSS

Процентиль: 45%
0.00221
Низкий

7.5 High

CVSS3