Platform
ruby
Component
rack
Fixed in
2.2.21
3.0.1
3.2.1
2.2.20
CVE-2025-61919 describes a Denial of Service (DoS) vulnerability within the Ruby Rack framework. This flaw arises from the Rack::Request#POST method's handling of large application/x-www-form-urlencoded requests, which can lead to memory exhaustion. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.20.
An attacker can exploit this vulnerability by sending a large POST request with the application/x-www-form-urlencoded Content-Type. The Rack framework, without proper length or memory limits, reads the entire request body into memory. This can quickly exhaust available memory resources, leading to a denial of service. The impact is significant as it can render the application unresponsive, potentially disrupting services and impacting users. The severity stems from the ease of triggering the vulnerability – simply crafting a large POST request is sufficient. This is similar to other memory exhaustion vulnerabilities where attackers can leverage oversized inputs to crash services.
This CVE was published on 2025-10-10. There is currently no indication of active exploitation or inclusion in the CISA KEV catalog. Public proof-of-concept (PoC) code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The EPSS score is likely to be assessed as medium due to the ease of exploitation and potential impact.
Exploit Status
EPSS
0.22% (44% percentile)
CISA SSVC
The primary mitigation for CVE-2025-61919 is to upgrade to Rack version 2.2.20 or later, which includes a fix for this memory exhaustion issue. If upgrading is not immediately feasible, consider implementing a reverse proxy or WAF with request size limits. Configure the proxy or WAF to reject requests exceeding a reasonable size threshold (e.g., 1MB or 2MB) for application/x-www-form-urlencoded requests. Additionally, review application code to ensure it handles large POST requests gracefully and doesn't rely on unbounded memory allocation. After upgrading, confirm the fix by sending a large POST request and verifying that the application does not crash or exhibit signs of memory exhaustion.
Update the Rack gem to version 2.2.20, 3.1.18, or 3.2.3 or higher. This corrects the memory exhaustion denial-of-service vulnerability. As an additional measure, configure strict maximum request body size limits on your proxy or web server (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61919 is a denial-of-service vulnerability in the Ruby Rack framework where large POST requests can exhaust memory, leading to application crashes. It affects versions 2.2.9 and earlier.
You are affected if you are using Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Rack version 2.2.20 or later. As a temporary workaround, implement request size limits using a reverse proxy or WAF.
There is currently no confirmed active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the official Ruby Rack project website and security advisories for updates and further information.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.