Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rack@3.0.0.rc1
Typegem
Namespace
Namerack
Version3.0.0.rc1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.20
Latest_non_vulnerable_version3.2.6
Affected_by_vulnerabilities
0
url VCID-7p12-ejdu-uqgy
vulnerability_id VCID-7p12-ejdu-uqgy
summary 
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary

`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.

## Details

The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

## Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

## Mitigation

- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27111
reference_id
reference_type
scores
0
value 0.00429
scoring_system epss
scoring_elements 0.62462
published_at 2026-04-04T12:55:00Z
1
value 0.00429
scoring_system epss
scoring_elements 0.62516
published_at 2026-04-11T12:55:00Z
2
value 0.00429
scoring_system epss
scoring_elements 0.62429
published_at 2026-04-07T12:55:00Z
3
value 0.00429
scoring_system epss
scoring_elements 0.6248
published_at 2026-04-08T12:55:00Z
4
value 0.00429
scoring_system epss
scoring_elements 0.62431
published_at 2026-04-02T12:55:00Z
5
value 0.00429
scoring_system epss
scoring_elements 0.62496
published_at 2026-04-09T12:55:00Z
6
value 0.00575
scoring_system epss
scoring_elements 0.68747
published_at 2026-04-13T12:55:00Z
7
value 0.00604
scoring_system epss
scoring_elements 0.6959
published_at 2026-04-12T12:55:00Z
8
value 0.00668
scoring_system epss
scoring_elements 0.71305
published_at 2026-04-21T12:55:00Z
9
value 0.00668
scoring_system epss
scoring_elements 0.71326
published_at 2026-04-18T12:55:00Z
10
value 0.00668
scoring_system epss
scoring_elements 0.7132
published_at 2026-04-16T12:55:00Z
11
value 0.008
scoring_system epss
scoring_elements 0.74143
published_at 2026-04-26T12:55:00Z
12
value 0.008
scoring_system epss
scoring_elements 0.74135
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27111
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
6
reference_url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
7
reference_url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
10
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
reference_id 1099546
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
reference_id 2349810
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
14
reference_url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
reference_id GHSA-8cgq-6mh2-7j6v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
15
reference_url https://usn.ubuntu.com/7366-1/
reference_id USN-7366-1
reference_type
scores
url https://usn.ubuntu.com/7366-1/
16
reference_url https://usn.ubuntu.com/7366-2/
reference_id USN-7366-2
reference_type
scores
url https://usn.ubuntu.com/7366-2/
fixed_packages
0
url pkg:gem/rack@3.0.13
purl pkg:gem/rack@3.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7wvj-9h3p-23am
2
vulnerability VCID-9rpp-9xss-duf6
3
vulnerability VCID-azu5-jcmd-3ufx
4
vulnerability VCID-c5sc-7qnn-mkb9
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-npag-sz7d-v7b6
7
vulnerability VCID-s971-gkdg-jkhc
8
vulnerability VCID-skxv-7he3-xqgc
9
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13
1
url pkg:gem/rack@3.1.11
purl pkg:gem/rack@3.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7wvj-9h3p-23am
2
vulnerability VCID-9rpp-9xss-duf6
3
vulnerability VCID-azu5-jcmd-3ufx
4
vulnerability VCID-c5sc-7qnn-mkb9
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-npag-sz7d-v7b6
7
vulnerability VCID-s971-gkdg-jkhc
8
vulnerability VCID-skxv-7he3-xqgc
9
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11
aliases CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7p12-ejdu-uqgy
1
url VCID-7wvj-9h3p-23am
vulnerability_id VCID-7wvj-9h3p-23am
summary 
ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.

### Details

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

### Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-49007
reference_id
reference_type
scores
0
value 0.00569
scoring_system epss
scoring_elements 0.68643
published_at 2026-04-26T12:55:00Z
1
value 0.00569
scoring_system epss
scoring_elements 0.68638
published_at 2026-04-24T12:55:00Z
2
value 0.00569
scoring_system epss
scoring_elements 0.68589
published_at 2026-04-21T12:55:00Z
3
value 0.00569
scoring_system epss
scoring_elements 0.68611
published_at 2026-04-18T12:55:00Z
4
value 0.00569
scoring_system epss
scoring_elements 0.686
published_at 2026-04-16T12:55:00Z
5
value 0.00569
scoring_system epss
scoring_elements 0.6856
published_at 2026-04-13T12:55:00Z
6
value 0.00569
scoring_system epss
scoring_elements 0.6859
published_at 2026-04-12T12:55:00Z
7
value 0.00569
scoring_system epss
scoring_elements 0.68602
published_at 2026-04-11T12:55:00Z
8
value 0.00569
scoring_system epss
scoring_elements 0.68576
published_at 2026-04-09T12:55:00Z
9
value 0.00569
scoring_system epss
scoring_elements 0.68558
published_at 2026-04-08T12:55:00Z
10
value 0.00569
scoring_system epss
scoring_elements 0.68528
published_at 2026-04-04T12:55:00Z
11
value 0.00569
scoring_system epss
scoring_elements 0.6851
published_at 2026-04-02T12:55:00Z
12
value 0.00569
scoring_system epss
scoring_elements 0.68507
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-49007
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
5
reference_url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
reference_id 1107363
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
reference_id 2370346
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
11
reference_url https://github.com/advisories/GHSA-47m2-26rw-j2jw
reference_id GHSA-47m2-26rw-j2jw
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-47m2-26rw-j2jw
fixed_packages
0
url pkg:gem/rack@3.1.16
purl pkg:gem/rack@3.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7wvj-9h3p-23am
1
vulnerability VCID-9rpp-9xss-duf6
2
vulnerability VCID-azu5-jcmd-3ufx
3
vulnerability VCID-c5sc-7qnn-mkb9
4
vulnerability VCID-d58r-22kr-9bct
5
vulnerability VCID-npag-sz7d-v7b6
6
vulnerability VCID-s971-gkdg-jkhc
7
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.16
aliases CVE-2025-49007, GHSA-47m2-26rw-j2jw
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7wvj-9h3p-23am
2
url VCID-9rpp-9xss-duf6
vulnerability_id VCID-9rpp-9xss-duf6
summary 
Rack has a Directory Traversal via Rack:Directory
## Summary

`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

## Details

In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. 

## Impact

Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).

## Mitigation

* Update to a patched version of Rack that correctly checks the root prefix.
* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22860
reference_id
reference_type
scores
0
value 0.001
scoring_system epss
scoring_elements 0.27495
published_at 2026-04-26T12:55:00Z
1
value 0.001
scoring_system epss
scoring_elements 0.27862
published_at 2026-04-02T12:55:00Z
2
value 0.001
scoring_system epss
scoring_elements 0.27903
published_at 2026-04-04T12:55:00Z
3
value 0.001
scoring_system epss
scoring_elements 0.27695
published_at 2026-04-07T12:55:00Z
4
value 0.001
scoring_system epss
scoring_elements 0.27762
published_at 2026-04-08T12:55:00Z
5
value 0.001
scoring_system epss
scoring_elements 0.27805
published_at 2026-04-09T12:55:00Z
6
value 0.001
scoring_system epss
scoring_elements 0.27811
published_at 2026-04-11T12:55:00Z
7
value 0.001
scoring_system epss
scoring_elements 0.27769
published_at 2026-04-12T12:55:00Z
8
value 0.001
scoring_system epss
scoring_elements 0.27712
published_at 2026-04-13T12:55:00Z
9
value 0.001
scoring_system epss
scoring_elements 0.2772
published_at 2026-04-16T12:55:00Z
10
value 0.001
scoring_system epss
scoring_elements 0.27694
published_at 2026-04-18T12:55:00Z
11
value 0.001
scoring_system epss
scoring_elements 0.27655
published_at 2026-04-21T12:55:00Z
12
value 0.001
scoring_system epss
scoring_elements 0.27602
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22860
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/
url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/
url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
reference_id 1128479
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
reference_id 2440737
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
11
reference_url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
reference_id GHSA-mxw3-3hh2-x2mh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
12
reference_url https://usn.ubuntu.com/8066-1/
reference_id USN-8066-1
reference_type
scores
url https://usn.ubuntu.com/8066-1/
fixed_packages
0
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
1
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9rpp-9xss-duf6
3
url VCID-arac-j5h5-zkcu
vulnerability_id VCID-arac-j5h5-zkcu
summary 
Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack.  This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected:  >= 1.3.0.
Not affected:       < 1.3.0
Fixed Versions:     3.0.9.1, 2.2.8.1

Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series

Credits
-------

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26141
reference_id
reference_type
scores
0
value 0.00378
scoring_system epss
scoring_elements 0.59333
published_at 2026-04-26T12:55:00Z
1
value 0.00378
scoring_system epss
scoring_elements 0.59314
published_at 2026-04-24T12:55:00Z
2
value 0.00378
scoring_system epss
scoring_elements 0.59336
published_at 2026-04-21T12:55:00Z
3
value 0.00378
scoring_system epss
scoring_elements 0.59356
published_at 2026-04-18T12:55:00Z
4
value 0.00378
scoring_system epss
scoring_elements 0.5935
published_at 2026-04-11T12:55:00Z
5
value 0.00378
scoring_system epss
scoring_elements 0.59349
published_at 2026-04-16T12:55:00Z
6
value 0.00378
scoring_system epss
scoring_elements 0.59334
published_at 2026-04-12T12:55:00Z
7
value 0.00378
scoring_system epss
scoring_elements 0.59316
published_at 2026-04-13T12:55:00Z
8
value 0.00399
scoring_system epss
scoring_elements 0.60642
published_at 2026-04-08T12:55:00Z
9
value 0.00399
scoring_system epss
scoring_elements 0.60657
published_at 2026-04-09T12:55:00Z
10
value 0.00399
scoring_system epss
scoring_elements 0.60593
published_at 2026-04-07T12:55:00Z
11
value 0.0041
scoring_system epss
scoring_elements 0.61296
published_at 2026-04-02T12:55:00Z
12
value 0.0041
scoring_system epss
scoring_elements 0.61325
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26141
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
5
reference_url https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
8
reference_url https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
9
reference_url https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26141
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26141
13
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id 1064516
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
14
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2265594
reference_id 2265594
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2265594
15
reference_url https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
reference_id GHSA-xj5v-6v4g-jfw6
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
16
reference_url https://security.netapp.com/advisory/ntap-20240510-0007/
reference_id ntap-20240510-0007
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://security.netapp.com/advisory/ntap-20240510-0007/
17
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
18
reference_url https://access.redhat.com/errata/RHSA-2024:1841
reference_id RHSA-2024:1841
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1841
19
reference_url https://access.redhat.com/errata/RHSA-2024:1846
reference_id RHSA-2024:1846
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1846
20
reference_url https://access.redhat.com/errata/RHSA-2024:2007
reference_id RHSA-2024:2007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2007
21
reference_url https://access.redhat.com/errata/RHSA-2024:2113
reference_id RHSA-2024:2113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2113
22
reference_url https://access.redhat.com/errata/RHSA-2024:2581
reference_id RHSA-2024:2581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2581
23
reference_url https://access.redhat.com/errata/RHSA-2024:2584
reference_id RHSA-2024:2584
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2584
24
reference_url https://access.redhat.com/errata/RHSA-2024:2953
reference_id RHSA-2024:2953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2953
25
reference_url https://access.redhat.com/errata/RHSA-2024:3431
reference_id RHSA-2024:3431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3431
26
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
27
reference_url https://usn.ubuntu.com/6837-1/
reference_id USN-6837-1
reference_type
scores
url https://usn.ubuntu.com/6837-1/
28
reference_url https://usn.ubuntu.com/6837-2/
reference_id USN-6837-2
reference_type
scores
url https://usn.ubuntu.com/6837-2/
29
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.9.1
purl pkg:gem/rack@3.0.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-9rpp-9xss-duf6
4
vulnerability VCID-azu5-jcmd-3ufx
5
vulnerability VCID-c5sc-7qnn-mkb9
6
vulnerability VCID-d58r-22kr-9bct
7
vulnerability VCID-npag-sz7d-v7b6
8
vulnerability VCID-s971-gkdg-jkhc
9
vulnerability VCID-skxv-7he3-xqgc
10
vulnerability VCID-w732-52bx-2qf8
11
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1
aliases CVE-2024-26141, GHSA-xj5v-6v4g-jfw6
risk_score 2.6
exploitability 0.5
weighted_severity 5.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-arac-j5h5-zkcu
4
url VCID-azu5-jcmd-3ufx
vulnerability_id VCID-azu5-jcmd-3ufx
summary 
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61772
reference_id
reference_type
scores
0
value 0.00193
scoring_system epss
scoring_elements 0.41064
published_at 2026-04-26T12:55:00Z
1
value 0.00193
scoring_system epss
scoring_elements 0.41069
published_at 2026-04-24T12:55:00Z
2
value 0.00193
scoring_system epss
scoring_elements 0.4118
published_at 2026-04-21T12:55:00Z
3
value 0.00193
scoring_system epss
scoring_elements 0.41252
published_at 2026-04-18T12:55:00Z
4
value 0.00193
scoring_system epss
scoring_elements 0.41281
published_at 2026-04-16T12:55:00Z
5
value 0.00193
scoring_system epss
scoring_elements 0.41238
published_at 2026-04-13T12:55:00Z
6
value 0.00193
scoring_system epss
scoring_elements 0.41251
published_at 2026-04-12T12:55:00Z
7
value 0.00193
scoring_system epss
scoring_elements 0.41283
published_at 2026-04-11T12:55:00Z
8
value 0.00193
scoring_system epss
scoring_elements 0.41261
published_at 2026-04-09T12:55:00Z
9
value 0.00193
scoring_system epss
scoring_elements 0.41253
published_at 2026-04-08T12:55:00Z
10
value 0.00193
scoring_system epss
scoring_elements 0.41203
published_at 2026-04-07T12:55:00Z
11
value 0.00193
scoring_system epss
scoring_elements 0.41278
published_at 2026-04-04T12:55:00Z
12
value 0.00193
scoring_system epss
scoring_elements 0.41249
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61772
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
6
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
7
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
reference_id 2402200
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
reference_id CVE-2025-61772
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
reference_id CVE-2025-61772.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
12
reference_url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
23
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
24
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
25
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-d58r-22kr-9bct
2
vulnerability VCID-s971-gkdg-jkhc
3
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
1
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-d58r-22kr-9bct
2
vulnerability VCID-s971-gkdg-jkhc
3
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61772, GHSA-wpv5-97wm-hp9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-azu5-jcmd-3ufx
5
url VCID-c21j-snf1-d3cb
vulnerability_id VCID-c21j-snf1-d3cb
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-44572
reference_id
reference_type
scores
0
value 0.00234
scoring_system epss
scoring_elements 0.46307
published_at 2026-04-21T12:55:00Z
1
value 0.00234
scoring_system epss
scoring_elements 0.46299
published_at 2026-04-26T12:55:00Z
2
value 0.00234
scoring_system epss
scoring_elements 0.46288
published_at 2026-04-24T12:55:00Z
3
value 0.00262
scoring_system epss
scoring_elements 0.49513
published_at 2026-04-02T12:55:00Z
4
value 0.00262
scoring_system epss
scoring_elements 0.4954
published_at 2026-04-04T12:55:00Z
5
value 0.00275
scoring_system epss
scoring_elements 0.50985
published_at 2026-04-16T12:55:00Z
6
value 0.00275
scoring_system epss
scoring_elements 0.50991
published_at 2026-04-18T12:55:00Z
7
value 0.00275
scoring_system epss
scoring_elements 0.50986
published_at 2026-04-11T12:55:00Z
8
value 0.00275
scoring_system epss
scoring_elements 0.50948
published_at 2026-04-13T12:55:00Z
9
value 0.00275
scoring_system epss
scoring_elements 0.50964
published_at 2026-04-12T12:55:00Z
10
value 0.00298
scoring_system epss
scoring_elements 0.53138
published_at 2026-04-07T12:55:00Z
11
value 0.00298
scoring_system epss
scoring_elements 0.53192
published_at 2026-04-08T12:55:00Z
12
value 0.00298
scoring_system epss
scoring_elements 0.53184
published_at 2026-04-09T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-44572
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
9
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
10
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
11
reference_url https://github.com/rack/rack/releases/tag/v3.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/releases/tag/v3.0.4.1
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml
13
reference_url https://hackerone.com/reports/1639882
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://hackerone.com/reports/1639882
14
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5530
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id 1029832
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164722
reference_id 2164722
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164722
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-44572
reference_id CVE-2022-44572
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-44572
18
reference_url https://github.com/advisories/GHSA-rqv2-275x-2jq5
reference_id GHSA-rqv2-275x-2jq5
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-rqv2-275x-2jq5
19
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
20
reference_url https://usn.ubuntu.com/5910-1/
reference_id USN-5910-1
reference_type
scores
url https://usn.ubuntu.com/5910-1/
21
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.4.1
purl pkg:gem/rack@3.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-fpg2-nhey-rkcc
10
vulnerability VCID-gtzk-m9rm-57hw
11
vulnerability VCID-npag-sz7d-v7b6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-w732-52bx-2qf8
15
vulnerability VCID-wt7k-s1yd-nke6
16
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1
aliases CVE-2022-44572, GHSA-rqv2-275x-2jq5, GMS-2023-66
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c21j-snf1-d3cb
6
url VCID-c5sc-7qnn-mkb9
vulnerability_id VCID-c5sc-7qnn-mkb9
summary 
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61771
reference_id
reference_type
scores
0
value 0.00098
scoring_system epss
scoring_elements 0.2688
published_at 2026-04-26T12:55:00Z
1
value 0.00098
scoring_system epss
scoring_elements 0.26888
published_at 2026-04-24T12:55:00Z
2
value 0.00098
scoring_system epss
scoring_elements 0.26937
published_at 2026-04-21T12:55:00Z
3
value 0.00098
scoring_system epss
scoring_elements 0.26999
published_at 2026-04-16T12:55:00Z
4
value 0.00098
scoring_system epss
scoring_elements 0.2699
published_at 2026-04-13T12:55:00Z
5
value 0.00098
scoring_system epss
scoring_elements 0.27047
published_at 2026-04-12T12:55:00Z
6
value 0.00098
scoring_system epss
scoring_elements 0.27091
published_at 2026-04-11T12:55:00Z
7
value 0.00098
scoring_system epss
scoring_elements 0.27087
published_at 2026-04-09T12:55:00Z
8
value 0.00098
scoring_system epss
scoring_elements 0.27042
published_at 2026-04-08T12:55:00Z
9
value 0.00098
scoring_system epss
scoring_elements 0.26973
published_at 2026-04-18T12:55:00Z
10
value 0.00098
scoring_system epss
scoring_elements 0.27182
published_at 2026-04-04T12:55:00Z
11
value 0.00098
scoring_system epss
scoring_elements 0.27146
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61771
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
6
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
7
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
reference_id 1117628
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
reference_id 2402175
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
reference_id CVE-2025-61771
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
reference_id CVE-2025-61771.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
12
reference_url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
19
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
20
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
21
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
22
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
23
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
24
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-d58r-22kr-9bct
2
vulnerability VCID-s971-gkdg-jkhc
3
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
1
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-d58r-22kr-9bct
2
vulnerability VCID-s971-gkdg-jkhc
3
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-c5sc-7qnn-mkb9
7
url VCID-d58r-22kr-9bct
vulnerability_id VCID-d58r-22kr-9bct
summary 
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
reference_id
reference_type
scores
0
value 0.00035
scoring_system epss
scoring_elements 0.10343
published_at 2026-04-26T12:55:00Z
1
value 0.00035
scoring_system epss
scoring_elements 0.10351
published_at 2026-04-24T12:55:00Z
2
value 0.00035
scoring_system epss
scoring_elements 0.10369
published_at 2026-04-21T12:55:00Z
3
value 0.00035
scoring_system epss
scoring_elements 0.10238
published_at 2026-04-18T12:55:00Z
4
value 0.00035
scoring_system epss
scoring_elements 0.10267
published_at 2026-04-16T12:55:00Z
5
value 0.00035
scoring_system epss
scoring_elements 0.10396
published_at 2026-04-13T12:55:00Z
6
value 0.00035
scoring_system epss
scoring_elements 0.10418
published_at 2026-04-12T12:55:00Z
7
value 0.00035
scoring_system epss
scoring_elements 0.10462
published_at 2026-04-11T12:55:00Z
8
value 0.00035
scoring_system epss
scoring_elements 0.10434
published_at 2026-04-09T12:55:00Z
9
value 0.00035
scoring_system epss
scoring_elements 0.10368
published_at 2026-04-08T12:55:00Z
10
value 0.00035
scoring_system epss
scoring_elements 0.10294
published_at 2026-04-07T12:55:00Z
11
value 0.00035
scoring_system epss
scoring_elements 0.10394
published_at 2026-04-04T12:55:00Z
12
value 0.00035
scoring_system epss
scoring_elements 0.10328
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
6
reference_url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
7
reference_url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id 1117855
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id 2403126
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
reference_id CVE-2025-61780
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
reference_id CVE-2025-61780.YML
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
12
reference_url https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r657-rxjc-j557
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements
1
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
14
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
1
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61780, GHSA-r657-rxjc-j557
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct
8
url VCID-gtzk-m9rm-57hw
vulnerability_id VCID-gtzk-m9rm-57hw
summary 
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack.  This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected:  All.
Not affected:       None
Fixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series

Credits
-------

Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26146
reference_id
reference_type
scores
0
value 0.00644
scoring_system epss
scoring_elements 0.70676
published_at 2026-04-21T12:55:00Z
1
value 0.00699
scoring_system epss
scoring_elements 0.71937
published_at 2026-04-02T12:55:00Z
2
value 0.00699
scoring_system epss
scoring_elements 0.71956
published_at 2026-04-04T12:55:00Z
3
value 0.00714
scoring_system epss
scoring_elements 0.72348
published_at 2026-04-11T12:55:00Z
4
value 0.00714
scoring_system epss
scoring_elements 0.7241
published_at 2026-04-26T12:55:00Z
5
value 0.00714
scoring_system epss
scoring_elements 0.72401
published_at 2026-04-24T12:55:00Z
6
value 0.00714
scoring_system epss
scoring_elements 0.72371
published_at 2026-04-18T12:55:00Z
7
value 0.00714
scoring_system epss
scoring_elements 0.72361
published_at 2026-04-16T12:55:00Z
8
value 0.00714
scoring_system epss
scoring_elements 0.7232
published_at 2026-04-13T12:55:00Z
9
value 0.00714
scoring_system epss
scoring_elements 0.72332
published_at 2026-04-12T12:55:00Z
10
value 0.00775
scoring_system epss
scoring_elements 0.73601
published_at 2026-04-09T12:55:00Z
11
value 0.00775
scoring_system epss
scoring_elements 0.73588
published_at 2026-04-08T12:55:00Z
12
value 0.00775
scoring_system epss
scoring_elements 0.73552
published_at 2026-04-07T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26146
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
5
reference_url https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
6
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
7
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
8
reference_url https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
9
reference_url https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
10
reference_url https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
11
reference_url https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
14
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26146
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26146
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id 1064516
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2265595
reference_id 2265595
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2265595
17
reference_url https://github.com/advisories/GHSA-54rr-7fvw-6x8f
reference_id GHSA-54rr-7fvw-6x8f
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-54rr-7fvw-6x8f
18
reference_url https://security.netapp.com/advisory/ntap-20240510-0006/
reference_id ntap-20240510-0006
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://security.netapp.com/advisory/ntap-20240510-0006/
19
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
20
reference_url https://access.redhat.com/errata/RHSA-2024:1841
reference_id RHSA-2024:1841
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1841
21
reference_url https://access.redhat.com/errata/RHSA-2024:1846
reference_id RHSA-2024:1846
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1846
22
reference_url https://access.redhat.com/errata/RHSA-2024:2007
reference_id RHSA-2024:2007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2007
23
reference_url https://access.redhat.com/errata/RHSA-2024:2113
reference_id RHSA-2024:2113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2113
24
reference_url https://access.redhat.com/errata/RHSA-2024:2581
reference_id RHSA-2024:2581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2581
25
reference_url https://access.redhat.com/errata/RHSA-2024:2584
reference_id RHSA-2024:2584
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2584
26
reference_url https://access.redhat.com/errata/RHSA-2024:2953
reference_id RHSA-2024:2953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2953
27
reference_url https://access.redhat.com/errata/RHSA-2024:3431
reference_id RHSA-2024:3431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3431
28
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
29
reference_url https://usn.ubuntu.com/6837-1/
reference_id USN-6837-1
reference_type
scores
url https://usn.ubuntu.com/6837-1/
30
reference_url https://usn.ubuntu.com/6837-2/
reference_id USN-6837-2
reference_type
scores
url https://usn.ubuntu.com/6837-2/
31
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.9.1
purl pkg:gem/rack@3.0.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-9rpp-9xss-duf6
4
vulnerability VCID-azu5-jcmd-3ufx
5
vulnerability VCID-c5sc-7qnn-mkb9
6
vulnerability VCID-d58r-22kr-9bct
7
vulnerability VCID-npag-sz7d-v7b6
8
vulnerability VCID-s971-gkdg-jkhc
9
vulnerability VCID-skxv-7he3-xqgc
10
vulnerability VCID-w732-52bx-2qf8
11
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1
aliases CVE-2024-26146, GHSA-54rr-7fvw-6x8f
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-gtzk-m9rm-57hw
9
url VCID-npag-sz7d-v7b6
vulnerability_id VCID-npag-sz7d-v7b6
summary 
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61770
reference_id
reference_type
scores
0
value 0.00158
scoring_system epss
scoring_elements 0.36408
published_at 2026-04-26T12:55:00Z
1
value 0.00158
scoring_system epss
scoring_elements 0.36438
published_at 2026-04-24T12:55:00Z
2
value 0.00158
scoring_system epss
scoring_elements 0.36663
published_at 2026-04-21T12:55:00Z
3
value 0.00158
scoring_system epss
scoring_elements 0.36723
published_at 2026-04-18T12:55:00Z
4
value 0.00158
scoring_system epss
scoring_elements 0.3674
published_at 2026-04-16T12:55:00Z
5
value 0.00158
scoring_system epss
scoring_elements 0.36695
published_at 2026-04-13T12:55:00Z
6
value 0.00158
scoring_system epss
scoring_elements 0.36721
published_at 2026-04-12T12:55:00Z
7
value 0.00158
scoring_system epss
scoring_elements 0.36756
published_at 2026-04-11T12:55:00Z
8
value 0.00158
scoring_system epss
scoring_elements 0.36747
published_at 2026-04-09T12:55:00Z
9
value 0.00158
scoring_system epss
scoring_elements 0.3673
published_at 2026-04-08T12:55:00Z
10
value 0.00158
scoring_system epss
scoring_elements 0.3668
published_at 2026-04-07T12:55:00Z
11
value 0.00158
scoring_system epss
scoring_elements 0.36844
published_at 2026-04-04T12:55:00Z
12
value 0.00158
scoring_system epss
scoring_elements 0.36812
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61770
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
6
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
7
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
reference_id 2402174
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
reference_id CVE-2025-61770
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
reference_id CVE-2025-61770.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
12
reference_url https://github.com/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p543-xpfm-54cp
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
23
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
24
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
25
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
26
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-d58r-22kr-9bct
2
vulnerability VCID-s971-gkdg-jkhc
3
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
1
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-d58r-22kr-9bct
2
vulnerability VCID-s971-gkdg-jkhc
3
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61770, GHSA-p543-xpfm-54cp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-npag-sz7d-v7b6
10
url VCID-s971-gkdg-jkhc
vulnerability_id VCID-s971-gkdg-jkhc
summary 
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
reference_id
reference_type
scores
0
value 0.00221
scoring_system epss
scoring_elements 0.44639
published_at 2026-04-26T12:55:00Z
1
value 0.00221
scoring_system epss
scoring_elements 0.44632
published_at 2026-04-24T12:55:00Z
2
value 0.00221
scoring_system epss
scoring_elements 0.44713
published_at 2026-04-21T12:55:00Z
3
value 0.00221
scoring_system epss
scoring_elements 0.44784
published_at 2026-04-18T12:55:00Z
4
value 0.00221
scoring_system epss
scoring_elements 0.44791
published_at 2026-04-16T12:55:00Z
5
value 0.00221
scoring_system epss
scoring_elements 0.44737
published_at 2026-04-13T12:55:00Z
6
value 0.00221
scoring_system epss
scoring_elements 0.44735
published_at 2026-04-12T12:55:00Z
7
value 0.00221
scoring_system epss
scoring_elements 0.44767
published_at 2026-04-11T12:55:00Z
8
value 0.00221
scoring_system epss
scoring_elements 0.4475
published_at 2026-04-09T12:55:00Z
9
value 0.00221
scoring_system epss
scoring_elements 0.44748
published_at 2026-04-08T12:55:00Z
10
value 0.00221
scoring_system epss
scoring_elements 0.44695
published_at 2026-04-07T12:55:00Z
11
value 0.00221
scoring_system epss
scoring_elements 0.44756
published_at 2026-04-04T12:55:00Z
12
value 0.00221
scoring_system epss
scoring_elements 0.44736
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
6
reference_url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
7
reference_url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id 1117856
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id 2403180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
reference_id CVE-2025-61919
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
reference_id CVE-2025-61919.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
12
reference_url https://github.com/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6xw4-3v39-52mm
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
23
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
24
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
25
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
26
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
27
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
28
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
29
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
1
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc
11
url VCID-skxv-7he3-xqgc
vulnerability_id VCID-skxv-7he3-xqgc
summary 
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
## Summary

`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.

## Details

`Rack::Directory` renders directory entries using an HTML row template similar to:

```html
<a href='%s'>%s</a>
```

The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:

```html
<a href='javascript:alert(1)'>javascript:alert(1)</a>
```

Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.

## Impact

If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.

When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).

## Mitigation

* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).
* Avoid exposing user-controlled directories via `Rack::Directory`.
* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.

HackerOne profile:
https://hackerone.com/thesmartshadow

GitHub account owner:
Ali Firas (@thesmartshadow)
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25500
reference_id
reference_type
scores
0
value 0.00021
scoring_system epss
scoring_elements 0.0597
published_at 2026-04-26T12:55:00Z
1
value 0.00021
scoring_system epss
scoring_elements 0.05724
published_at 2026-04-02T12:55:00Z
2
value 0.00021
scoring_system epss
scoring_elements 0.05764
published_at 2026-04-04T12:55:00Z
3
value 0.00021
scoring_system epss
scoring_elements 0.05758
published_at 2026-04-07T12:55:00Z
4
value 0.00021
scoring_system epss
scoring_elements 0.05797
published_at 2026-04-08T12:55:00Z
5
value 0.00021
scoring_system epss
scoring_elements 0.05822
published_at 2026-04-09T12:55:00Z
6
value 0.00021
scoring_system epss
scoring_elements 0.05801
published_at 2026-04-11T12:55:00Z
7
value 0.00021
scoring_system epss
scoring_elements 0.05793
published_at 2026-04-12T12:55:00Z
8
value 0.00021
scoring_system epss
scoring_elements 0.05787
published_at 2026-04-13T12:55:00Z
9
value 0.00021
scoring_system epss
scoring_elements 0.05751
published_at 2026-04-16T12:55:00Z
10
value 0.00021
scoring_system epss
scoring_elements 0.05759
published_at 2026-04-18T12:55:00Z
11
value 0.00021
scoring_system epss
scoring_elements 0.05903
published_at 2026-04-21T12:55:00Z
12
value 0.00021
scoring_system epss
scoring_elements 0.05935
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25500
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/
url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/
url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
reference_id 1128480
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
reference_id 2440738
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
11
reference_url https://github.com/advisories/GHSA-whrj-4476-wvmp
reference_id GHSA-whrj-4476-wvmp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-whrj-4476-wvmp
12
reference_url https://usn.ubuntu.com/8066-1/
reference_id USN-8066-1
reference_type
scores
url https://usn.ubuntu.com/8066-1/
fixed_packages
0
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
1
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-25500, GHSA-whrj-4476-wvmp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-skxv-7he3-xqgc
12
url VCID-vkrw-y1j6-6fe7
vulnerability_id VCID-vkrw-y1j6-6fe7
summary 
Duplicate
This advisory duplicates another.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2022-44571
reference_id
reference_type
scores
0
value 0.02882
scoring_system epss
scoring_elements 0.86342
published_at 2026-04-26T12:55:00Z
1
value 0.02882
scoring_system epss
scoring_elements 0.86333
published_at 2026-04-24T12:55:00Z
2
value 0.02882
scoring_system epss
scoring_elements 0.86313
published_at 2026-04-21T12:55:00Z
3
value 0.03289
scoring_system epss
scoring_elements 0.87172
published_at 2026-04-04T12:55:00Z
4
value 0.03289
scoring_system epss
scoring_elements 0.87155
published_at 2026-04-02T12:55:00Z
5
value 0.03631
scoring_system epss
scoring_elements 0.87801
published_at 2026-04-07T12:55:00Z
6
value 0.03631
scoring_system epss
scoring_elements 0.87822
published_at 2026-04-08T12:55:00Z
7
value 0.03631
scoring_system epss
scoring_elements 0.87829
published_at 2026-04-09T12:55:00Z
8
value 0.03631
scoring_system epss
scoring_elements 0.87841
published_at 2026-04-11T12:55:00Z
9
value 0.03631
scoring_system epss
scoring_elements 0.87835
published_at 2026-04-12T12:55:00Z
10
value 0.03631
scoring_system epss
scoring_elements 0.87833
published_at 2026-04-13T12:55:00Z
11
value 0.03631
scoring_system epss
scoring_elements 0.87847
published_at 2026-04-16T12:55:00Z
12
value 0.03631
scoring_system epss
scoring_elements 0.87846
published_at 2026-04-18T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2022-44571
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
9
reference_url https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.9
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
12
reference_url https://github.com/rack/rack/releases/tag/v3.0.4.1
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/releases/tag/v3.0.4.1
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml
14
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5530
15
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id 1029832
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
16
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2164714
reference_id 2164714
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2164714
17
reference_url https://nvd.nist.gov/vuln/detail/CVE-2022-44571
reference_id CVE-2022-44571
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2022-44571
18
reference_url https://github.com/advisories/GHSA-93pm-5p5f-3ghx
reference_id GHSA-93pm-5p5f-3ghx
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-93pm-5p5f-3ghx
19
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
20
reference_url https://usn.ubuntu.com/5910-1/
reference_id USN-5910-1
reference_type
scores
url https://usn.ubuntu.com/5910-1/
21
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.4.1
purl pkg:gem/rack@3.0.4.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-fpg2-nhey-rkcc
10
vulnerability VCID-gtzk-m9rm-57hw
11
vulnerability VCID-npag-sz7d-v7b6
12
vulnerability VCID-s971-gkdg-jkhc
13
vulnerability VCID-skxv-7he3-xqgc
14
vulnerability VCID-w732-52bx-2qf8
15
vulnerability VCID-wt7k-s1yd-nke6
16
vulnerability VCID-xkah-9nv9-wufd
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1
aliases CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vkrw-y1j6-6fe7
13
url VCID-xkah-9nv9-wufd
vulnerability_id VCID-xkah-9nv9-wufd
summary 
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27539
reference_id
reference_type
scores
0
value 0.00328
scoring_system epss
scoring_elements 0.55793
published_at 2026-04-02T12:55:00Z
1
value 0.00328
scoring_system epss
scoring_elements 0.55815
published_at 2026-04-04T12:55:00Z
2
value 0.00335
scoring_system epss
scoring_elements 0.56377
published_at 2026-04-21T12:55:00Z
3
value 0.00335
scoring_system epss
scoring_elements 0.56407
published_at 2026-04-18T12:55:00Z
4
value 0.00335
scoring_system epss
scoring_elements 0.56416
published_at 2026-04-11T12:55:00Z
5
value 0.00335
scoring_system epss
scoring_elements 0.56406
published_at 2026-04-16T12:55:00Z
6
value 0.00335
scoring_system epss
scoring_elements 0.56374
published_at 2026-04-13T12:55:00Z
7
value 0.00335
scoring_system epss
scoring_elements 0.56392
published_at 2026-04-12T12:55:00Z
8
value 0.00335
scoring_system epss
scoring_elements 0.56326
published_at 2026-04-26T12:55:00Z
9
value 0.00335
scoring_system epss
scoring_elements 0.56306
published_at 2026-04-24T12:55:00Z
10
value 0.00364
scoring_system epss
scoring_elements 0.58428
published_at 2026-04-07T12:55:00Z
11
value 0.00364
scoring_system epss
scoring_elements 0.58487
published_at 2026-04-09T12:55:00Z
12
value 0.00364
scoring_system epss
scoring_elements 0.58481
published_at 2026-04-08T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27539
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
3
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
4
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
5
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
6
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
7
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
8
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
9
reference_url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
10
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
11
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
12
reference_url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
13
reference_url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
14
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
15
reference_url https://security.netapp.com/advisory/ntap-20231208-0016
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231208-0016
16
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://www.debian.org/security/2023/dsa-5530
17
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
reference_id 1033264
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
18
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
reference_id 2179649
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
19
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
reference_id CVE-2023-27539
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
20
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
reference_id CVE-2023-27539.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
21
reference_url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
reference_id GHSA-c6qg-cjj8-47qp
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
22
reference_url https://security.netapp.com/advisory/ntap-20231208-0016/
reference_id ntap-20231208-0016
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://security.netapp.com/advisory/ntap-20231208-0016/
23
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
24
reference_url https://access.redhat.com/errata/RHSA-2023:1961
reference_id RHSA-2023:1961
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1961
25
reference_url https://access.redhat.com/errata/RHSA-2023:1981
reference_id RHSA-2023:1981
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1981
26
reference_url https://access.redhat.com/errata/RHSA-2023:2652
reference_id RHSA-2023:2652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2652
27
reference_url https://access.redhat.com/errata/RHSA-2023:3082
reference_id RHSA-2023:3082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3082
28
reference_url https://access.redhat.com/errata/RHSA-2023:3403
reference_id RHSA-2023:3403
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3403
29
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
30
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
31
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
32
reference_url https://usn.ubuntu.com/6905-1/
reference_id USN-6905-1
reference_type
scores
url https://usn.ubuntu.com/6905-1/
33
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.6.1
purl pkg:gem/rack@3.0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-7zgg-tvu3-r7gt
4
vulnerability VCID-9rpp-9xss-duf6
5
vulnerability VCID-arac-j5h5-zkcu
6
vulnerability VCID-azu5-jcmd-3ufx
7
vulnerability VCID-c5sc-7qnn-mkb9
8
vulnerability VCID-d58r-22kr-9bct
9
vulnerability VCID-gtzk-m9rm-57hw
10
vulnerability VCID-npag-sz7d-v7b6
11
vulnerability VCID-s971-gkdg-jkhc
12
vulnerability VCID-skxv-7he3-xqgc
13
vulnerability VCID-w732-52bx-2qf8
14
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1
aliases CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xkah-9nv9-wufd
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.rc1