Platform
ruby
Component
rack
Opgelost in
2.2.19
2.2.18
CVE-2025-59830 affects the Ruby Rack library, specifically the Rack::QueryParser component. This vulnerability allows attackers to bypass the intended parameter limit in query strings, potentially leading to resource exhaustion and denial of service. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.18. This issue was publicly disclosed on 2025-09-25.
The core of the vulnerability lies in how Rack::QueryParser handles query string parameters. While it enforces a params_limit to prevent excessive parameter submissions, the code incorrectly counts parameters only when separated by ampersands (&). However, the underlying parsing logic also splits the query string on semicolons (;). This discrepancy allows an attacker to craft a malicious query string using semicolons to bypass the parameter limit and submit a significantly larger number of parameters than intended. This can lead to excessive resource consumption on the server, potentially causing a denial of service. The impact is amplified in applications that heavily rely on query string parameters for processing, as a single malicious request could overwhelm the server.
As of this writing, CVE-2025-59830 is not listed on the CISA KEV catalog. There are no publicly available exploits or active campaigns targeting this vulnerability. The CVSS score of 7.5 (HIGH) indicates a significant potential for exploitation, particularly in environments where Rack is widely used and parameter validation is not robust. Public disclosure occurred on 2025-09-25.
Applications built on Ruby that utilize the Rack library, particularly those that process user-supplied data through query strings without proper input validation, are at risk. Shared hosting environments where multiple applications share the same Rack installation are also vulnerable, as a compromised application could potentially impact others.
• ruby / server:
ps aux | grep rack• ruby / server:
journalctl -u rack -g "params_limit"• generic web:
curl -I 'http://your-rack-app.com/?param1=value1¶m2=value2;param3=value3¶m4=value4'• generic web:
grep -i 'params_limit' /var/log/apache2/access.logdisclosure
Exploit Status
EPSS
0.07% (21% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-59830 is to upgrade to Rack version 2.2.18 or later, which includes the fix for this parameter bypass vulnerability. If upgrading is not immediately feasible, consider implementing a Web Application Firewall (WAF) rule to filter out query strings containing excessive semicolons or parameters. Alternatively, you could implement a proxy-level filter to limit the number of parameters allowed in incoming requests. For detection, monitor application logs for unusually large query strings or requests with a high number of parameters. After upgrading, confirm the fix by sending a crafted query string with a large number of parameters separated by semicolons and verifying that the params_limit is enforced.
Werk de Rack gem up naar versie 2.2.18 of hoger. Dit zal de kwetsbaarheid oplossen die het omzeilen van de parameterlimiet mogelijk maakt door het gebruik van puntkomma-scheidingstekens. Voer `gem update rack` uit om te updaten naar de nieuwste versie.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-59830 is a HIGH severity vulnerability in Ruby Rack versions 2.2.9 and earlier, allowing attackers to bypass the parameter limit in query strings using semicolons instead of ampersands.
You are affected if you are using Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Rack version 2.2.18 or later to resolve the vulnerability. Consider WAF rules as a temporary workaround if upgrading is not immediately possible.
As of the current date, there are no confirmed reports of active exploitation, but the vulnerability's severity warrants prompt remediation.
Refer to the official Ruby Rack project website and security advisories for the latest information and updates regarding CVE-2025-59830.
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.