Plattform
ruby
Komponente
rack
Behoben in
2.2.19
2.2.18
CVE-2025-59830 describes a bypass vulnerability in the Rack::QueryParser component of the Rack library. The vulnerability allows attackers to circumvent the intended parameter count limit by using semicolon (;) separators instead of ampersands (&). This affects versions of Rack less than or equal to 2.2.9. The issue is resolved in version 2.2.18.
Exploitation of CVE-2025-59830 could allow an attacker to submit a significantly larger number of parameters than intended to a web application. This could lead to denial-of-service (DoS) conditions by overwhelming the application's resources, or potentially to information disclosure or other vulnerabilities if the application improperly handles a large number of parameters. The blast radius is limited to the application using the vulnerable Rack version, but the impact can be significant if the application is critical.
Exploitation context for CVE-2025-59830 is currently unknown. The vulnerability is not listed on KEV or EPSS. Public proof-of-concept (POC) code is not readily available. Published on 2025-09-25.
Applications built on Ruby that utilize the Rack library, particularly those that process user-supplied data through query strings without proper input validation, are at risk. Shared hosting environments where multiple applications share the same Rack installation are also vulnerable, as a compromised application could potentially impact others.
• ruby / server:
ps aux | grep rack• ruby / server:
journalctl -u rack -g "params_limit"• generic web:
curl -I 'http://your-rack-app.com/?param1=value1¶m2=value2;param3=value3¶m4=value4'• generic web:
grep -i 'params_limit' /var/log/apache2/access.logdisclosure
Exploit-Status
EPSS
0.07% (21% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-59830 is to upgrade the Rack library to version 2.2.18 or later. If upgrading is not immediately possible, consider implementing input validation and sanitization on the application side to limit the number of parameters accepted. WAF rules can be configured to block requests with excessive parameters using semicolon separators. After upgrading, confirm the fix by sending a request with a large number of parameters separated by semicolons and verifying that the parameter count limit is enforced.
Actualice la gema Rack a la versión 2.2.18 o superior. Esto solucionará la vulnerabilidad que permite la omisión del límite de parámetros mediante el uso de separadores de punto y coma. Ejecute `gem update rack` para actualizar a la versión más reciente.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-59830 is a HIGH severity vulnerability in Ruby Rack versions 2.2.9 and earlier, allowing attackers to bypass the parameter limit in query strings using semicolons instead of ampersands.
You are affected if you are using Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Rack version 2.2.18 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants prompt remediation.
Refer to the official Ruby Rack project website and security advisories for the latest information and updates regarding CVE-2025-59830.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.