Platform
ruby
Component
rack
Fixed in
2.2.20
3.1.1
3.2.1
2.2.19
CVE-2025-61772 describes a Denial of Service (DoS) vulnerability within the Rack::Multipart::Parser component of the Rack library. An attacker can trigger this vulnerability by sending a malformed multipart request with a header block that lacks the required blank line terminator (CRLFCRLF), leading to memory exhaustion. This affects Rack versions 2.2.9 and earlier; a fix is available in version 2.2.19.
The primary impact of CVE-2025-61772 is a denial of service. An attacker can craft a specially designed multipart request that causes the Rack::Multipart::Parser to continuously append data to memory without any size limits. This unbounded memory allocation can quickly exhaust available resources, leading to application crashes, service unavailability, and potentially impacting other services sharing the same infrastructure. The attack is relatively simple to execute, requiring only the ability to send HTTP requests. Successful exploitation could disrupt critical web applications relying on Rack, potentially causing significant operational downtime.
CVE-2025-61772 was publicly disclosed on 2025-10-07. There is no indication of active exploitation or inclusion in the CISA KEV catalog at the time of writing. Public proof-of-concept (PoC) code is likely to emerge given the vulnerability's simplicity, increasing the risk of exploitation. The NVD entry is available and provides further details.
Exploit Status
EPSS
0.19% (41% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2025-61772 is to upgrade to Rack version 2.2.19 or later, which includes a fix for the unbounded memory allocation. If upgrading is not immediately feasible, consider implementing input validation to reject multipart requests with excessively long header blocks. Web Application Firewalls (WAFs) can be configured to filter requests with unusually large header sizes. Monitoring memory usage on the affected systems is also crucial to detect potential DoS attacks. While a direct detection signature is difficult, monitoring for unusually high memory consumption by the Rack process is a viable workaround.
Update the Rack gem to version 2.2.19, 3.1.17, 3.2.2 or higher. This will limit the size of multipart headers per part. Alternatively, restrict the maximum request size at the proxy or web server layer (e.g., Nginx `client_max_body_size`).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61772 is a denial-of-service vulnerability in the Rack::Multipart::Parser component of the Rack library, allowing attackers to exhaust memory by sending malformed multipart requests.
You are affected if you are using Rack versions 2.2.9 or earlier. Upgrade to 2.2.19 or later to resolve the vulnerability.
Upgrade to Rack version 2.2.19 or later. As a temporary workaround, implement input validation to reject multipart requests with excessively long headers.
There is currently no confirmed evidence of active exploitation, but the vulnerability's simplicity suggests a risk of future attacks.
Refer to the official Rack project website and security advisories for the latest information and updates regarding CVE-2025-61772.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.