Platform
ruby
Component
rack
Opgelost in
2.2.20
3.1.1
3.2.1
2.2.19
CVE-2025-61771 describes a Denial of Service (DoS) vulnerability within the Rack::Multipart::Parser component of the Ruby Rack library. Attackers can exploit this by sending excessively large non-file form fields within a multipart/form-data request, leading to out-of-memory (OOM) conditions and potential service disruption. The vulnerability affects Rack versions 2.2.9 and earlier; a fix is available in version 2.2.19.
The core issue lies in how Rack::Multipart::Parser handles non-file form fields. Unlike file parts, which are streamed to temporary files, these non-file fields are stored entirely in memory as Ruby String objects. An attacker can craft a request containing a single, very large text field (hundreds of megabytes or more) within the multipart/form-data payload. This will cause the Rack application to allocate a significant amount of memory to store the field, potentially exceeding available resources and triggering an out-of-memory error. The impact is a denial of service, rendering the Rack application or the entire web server unresponsive. This could disrupt critical services and potentially lead to data loss if the application was in the process of handling sensitive information.
This vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, but the potential for exploitation exists given the ease of crafting a malicious multipart/form-data request. The vulnerability's impact is primarily denial of service, but the disruption could be significant for applications heavily reliant on Rack for handling form data. The severity is rated HIGH due to the potential for widespread impact.
Applications and services built on Ruby Rack, particularly those handling user-uploaded data or processing large form submissions, are at risk. Shared hosting environments where multiple applications share the same server resources are especially vulnerable, as a single malicious request could impact all hosted applications. Legacy Rack deployments using older versions are also at increased risk.
• linux / server:
journalctl -u your_rack_app -g 'out of memory' --since "1 hour ago"• generic web:
curl -v -X POST -F 'large_field=ThisIsAVeryLongString' http://your-rack-app/form_handler 2>&1 | grep -i 'out of memory'disclosure
Exploit Status
EPSS
0.10% (27% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to Rack version 2.2.19 or later, which addresses the vulnerability by limiting the size of non-file form fields. If upgrading is not immediately feasible, consider implementing temporary workarounds. One approach is to configure the web server or application to limit the maximum size of multipart/form-data requests. Another option is to implement a WAF (Web Application Firewall) rule to block requests exceeding a certain size threshold. Carefully test any configuration changes to avoid unintended consequences. After upgrading, confirm the fix by sending a large multipart/form-data request and verifying that the application does not experience an out-of-memory error.
Actualice la gema `rack` a la versión 2.2.19, 3.1.17 o 3.2.2 o superior. Esto limitará el tamaño de los campos no-archivo en las solicitudes multipart/form-data. Alternativamente, puede restringir el tamaño máximo del cuerpo de la solicitud en el servidor web o proxy (ej: Nginx `client_max_body_size`) o validar y rechazar campos de formulario inusualmente grandes a nivel de aplicación.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-61771 is a denial-of-service vulnerability in the Rack library where large multipart form data can cause out-of-memory errors.
You are affected if you are using Rack versions 2.2.9 or earlier and process multipart/form-data requests.
Upgrade to Rack version 2.2.19 or later to resolve the vulnerability. Consider temporary workarounds like WAF rules if immediate upgrade is not possible.
While no widespread exploitation is currently confirmed, the vulnerability's ease of exploitation suggests a potential risk.
Refer to the Ruby Rack project's security advisories and release notes for details: https://rack.rubyforge.org/
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.