Platform
ruby
Component
rack
Fixed in
2.2.20
3.1.1
3.2.1
2.2.19
CVE-2025-61771 describes a Denial of Service (DoS) vulnerability within the Rack::Multipart::Parser component of the Ruby Rack library. Attackers can exploit this by sending excessively large non-file form fields within a multipart/form-data request, leading to out-of-memory (OOM) conditions and potential service disruption. The vulnerability affects Rack versions 2.2.9 and earlier; a fix is available in version 2.2.19.
The core issue lies in how Rack::Multipart::Parser handles non-file form fields. Unlike file parts, which are streamed to temporary files, these non-file fields are stored entirely in memory as Ruby String objects. An attacker can craft a request containing a single, very large text field (hundreds of megabytes or more) within the multipart/form-data payload. This will cause the Rack application to allocate a significant amount of memory to store the field, potentially exceeding available resources and triggering an out-of-memory error. The impact is a denial of service, rendering the Rack application or the entire web server unresponsive. This could disrupt critical services and potentially lead to data loss if the application was in the process of handling sensitive information.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the potential for exploitation exists given the ease of crafting a malicious multipart/form-data request. The vulnerability's impact is primarily denial of service, but the disruption could be significant for applications heavily reliant on Rack for handling form data. The severity is rated HIGH due to the potential for widespread impact.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation is to upgrade to Rack version 2.2.19 or later, which addresses the vulnerability by limiting the size of non-file form fields. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to configure the web server or application to limit the maximum size of multipart/form-data requests. Another option is to implement a WAF (Web Application Firewall) rule to block requests exceeding a certain size threshold. Carefully test any configuration changes to avoid unintended consequences. After upgrading, confirm the fix by sending a large multipart/form-data request and verifying that the application does not experience an out-of-memory error.
Update the `rack` gem to version 2.2.19, 3.1.17, 3.2.2 or higher. This will limit the size of non-file fields in multipart/form-data requests. Alternatively, you can restrict the maximum request body size on the web server or proxy (e.g., Nginx `client_max_body_size`) or validate and reject unusually large form fields at the application level.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61771 is a denial-of-service vulnerability in the Rack library where large multipart form data can cause out-of-memory errors.
You are affected if you are using Rack versions 2.2.9 or earlier and process multipart/form-data requests.
Upgrade to Rack version 2.2.19 or later to resolve the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no widespread exploitation is currently confirmed, the vulnerability's ease of exploitation suggests a potential risk.
Refer to the Ruby Rack project's security advisories and release notes for details: https://rack.rubyforge.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.