Platform
ruby
Component
rack
Fixed in
2.2.20
3.1.1
3.2.1
2.2.19
CVE-2025-61770 describes a Denial of Service (DoS) vulnerability within the Rack::Multipart::Parser component of the Rack library. An attacker can exploit this flaw by sending a large multipart preamble, exceeding memory limits and potentially causing process termination. This vulnerability impacts Rack versions 2.2.9 and earlier, with a fix available in version 2.2.19.
The core issue lies in the Rack::Multipart::Parser's handling of the multipart preamble. The parser buffers the entire preamble in memory without enforcing a size limit. A malicious client can craft a request with an exceptionally large preamble, followed by a valid boundary. This excessive memory consumption can lead to an out-of-memory (OOM) condition, resulting in the Rack application process crashing or becoming unresponsive. The blast radius extends to any application relying on Rack for handling multipart requests, potentially impacting multiple services and users. This vulnerability is similar to other memory exhaustion attacks where an attacker overwhelms a system's resources to cause a denial of service.
CVE-2025-61770 was publicly disclosed on 2025-10-07. No public proof-of-concept (PoC) code has been released as of this writing. The vulnerability's severity is rated HIGH (CVSS:7.5), indicating a moderate probability of exploitation. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.16% (37% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Rack version 2.2.19 or later, which includes a fix for this vulnerability. If an immediate upgrade is not feasible, consider implementing temporary workarounds. One approach is to configure the web server or application to limit the maximum request size for multipart uploads. Another potential mitigation involves using a WAF (Web Application Firewall) to filter requests with excessively large multipart preambles. Monitor application logs for signs of memory exhaustion or process crashes, which could indicate exploitation attempts. After upgrade, confirm by sending a test multipart request with a large preamble and verifying that the application does not crash.
Upgrade the Rack gem to version 2.2.19, 3.1.17, 3.2.2 or higher. This fixes the vulnerability by limiting the multipart preamble size. Alternatively, limit the total request body size in the proxy or web server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61770 is a Denial of Service vulnerability in the Rack::Multipart::Parser component of the Rack library, allowing an attacker to cause memory exhaustion by sending a large multipart preamble.
You are affected if you are using Rack versions 2.2.9 or earlier. Upgrade to 2.2.19 or later to resolve the vulnerability.
Upgrade to Rack version 2.2.19 or later. As a temporary workaround, limit the maximum request size for multipart uploads or use a WAF to filter large requests.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants proactive mitigation.
Refer to the official Rack project website and security advisories for the latest information and updates regarding CVE-2025-61770.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.