Platform
ruby
Component
rack
Fixed in
2.2.19
2.2.18
CVE-2025-59830 affects the Ruby Rack library, specifically the Rack::QueryParser component. This vulnerability allows attackers to bypass the intended parameter limit in query strings, potentially leading to resource exhaustion and denial of service. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.18. This issue was publicly disclosed on 2025-09-25.
The core of the vulnerability lies in how Rack::QueryParser handles query string parameters. While it enforces a params_limit to prevent excessive parameter submissions, the code incorrectly counts parameters only when separated by ampersands (&). However, the underlying parsing logic also splits the query string on semicolons (;). This discrepancy allows an attacker to craft a malicious query string using semicolons to bypass the parameter limit and submit a significantly larger number of parameters than intended. This can lead to excessive resource consumption on the server, potentially causing a denial of service. The impact is amplified in applications that heavily rely on query string parameters for processing, as a single malicious request could overwhelm the server.
As of this writing, CVE-2025-59830 is not listed on the CISA KEV catalog. There are no publicly available exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation, particularly in environments where Rack is widely used and parameter validation is not robust. Public disclosure occurred on 2025-09-25.
Exploit Status
EPSS
0.07% (21% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-59830 is to upgrade to Rack version 2.2.18 or later, which includes the fix for this parameter bypass vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out query strings containing excessive semicolons or parameters. Alternatively, you could implement a proxy-level filter to limit the number of parameters allowed in incoming requests. For detection, monitor application logs for unusually large query strings or requests with a high number of parameters. After upgrading, confirm the fix by sending a crafted query string with a large number of parameters separated by semicolons and verifying that the params_limit is enforced.
Update the Rack gem to version 2.2.18 or higher. This will fix the vulnerability that allows bypassing the parameter limit using semicolon separators. Run `gem update rack` to update to the latest version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-59830 is a HIGH severity vulnerability in Ruby Rack versions 2.2.9 and earlier, allowing attackers to bypass the parameter limit in query strings using semicolons instead of ampersands.
You are affected if you are using Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Rack version 2.2.18 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants prompt remediation.
Refer to the official Ruby Rack project website and security advisories for the latest information and updates regarding CVE-2025-59830.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.