rack
修复版本
2.2.15
3.0.1
3.1.1
2.2.14
CVE-2025-46727 describes a Denial of Service (DoS) vulnerability within the Ruby Rack application framework. This flaw stems from Rack::QueryParser's lack of limits on the number of parameters processed in query strings and application/x-www-form-urlencoded bodies. Exploitation can lead to resource exhaustion and application instability, impacting versions of Rack up to 2.2.9. A fix is available in version 2.2.14.
An attacker can leverage this vulnerability by crafting HTTP requests containing an exceptionally large number of parameters. The Rack::QueryParser component, responsible for parsing these requests, lacks any safeguards to limit the parameter count. This unchecked processing consumes significant server resources, including CPU and memory, potentially leading to a denial of service. The impact extends to any web application relying on Rack, as the vulnerability resides within the framework itself. The severity is high due to the ease of exploitation and the potential for widespread disruption. While no direct data exfiltration is possible, the DoS can effectively render the application unavailable, impacting legitimate users and potentially masking other malicious activity.
CVE-2025-46727 was published on 2025-05-08. Its severity is rated HIGH (CVSS 7.5). There is currently no indication of this vulnerability being actively exploited in the wild, nor is it listed on KEV or EPSS. Public proof-of-concept (POC) code is not yet widely available, but the vulnerability's nature makes it relatively straightforward to exploit.
漏洞利用状态
EPSS
0.81% (74% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2025-46727 is to upgrade to Rack version 2.2.14 or later, which includes the necessary fix. If immediate upgrading is not feasible, consider implementing a reverse proxy or Web Application Firewall (WAF) to filter requests with an excessive number of parameters. Specifically, configure the WAF to reject requests exceeding a predefined parameter limit (e.g., 1000 parameters). Additionally, review application code for any potential vulnerabilities related to parameter handling and consider implementing input validation to limit the size and number of parameters accepted. After upgrading, confirm the fix by sending a request with a large number of parameters and verifying that the application does not experience resource exhaustion or crash.
Actualice la gema `rack` a la versión 2.2.14 o superior. Alternativamente, implemente un middleware para limitar el tamaño de la cadena de consulta o el número de parámetros. También puede usar un proxy inverso como Nginx para limitar el tamaño de las solicitudes y rechazar las cadenas de consulta o cuerpos de solicitud de gran tamaño.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2025-46727 is a Denial of Service vulnerability in the Ruby Rack application framework. It allows attackers to exhaust server resources by sending requests with a large number of parameters, impacting versions up to 2.2.9.
You are potentially affected if your application uses Rack version 2.2.9 or earlier. Check your Rack version using ruby -e 'require "rack"; puts Rack.version'.
Upgrade to Rack version 2.2.14 or later to resolve the vulnerability. If immediate upgrade is not possible, implement a WAF to limit the number of parameters in requests.
There is currently no public evidence of CVE-2025-46727 being actively exploited in the wild, but its ease of exploitation warrants proactive mitigation.
Refer to the Ruby Rack project's official website and security advisories for the latest information: https://rack.rubyforge.org/
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Gemfile.lock 文件,立即知道是否受影响。