| 0 |
| url |
VCID-3ycr-9smk-uqdc |
| vulnerability_id |
VCID-3ycr-9smk-uqdc |
| summary |
Potential Denial of Service Vulnerability
Carefully crafted requests can cause a `SystemStackError` and potentially cause a denial of service attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2015-3225 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93218 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93251 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93234 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93232 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93235 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93231 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93227 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93207 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93216 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.9322 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2015-3225 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.5.4 |
| purl |
pkg:gem/rack@1.5.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 26 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.4 |
|
| 1 |
| url |
pkg:gem/rack@1.6.0.beta |
| purl |
pkg:gem/rack@1.6.0.beta |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 1 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 2 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.0.beta |
|
| 2 |
| url |
pkg:gem/rack@1.6.2 |
| purl |
pkg:gem/rack@1.6.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-9xy8-h3y1-mubv |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.2 |
|
|
| aliases |
CVE-2015-3225, GHSA-rgr4-9jh5-j4j6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ycr-9smk-uqdc |
|
| 1 |
| url |
VCID-47ja-djzb-2bbw |
| vulnerability_id |
VCID-47ja-djzb-2bbw |
| summary |
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
## Summary
`Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.
## Details
The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.
## Impact
An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.
## Mitigation
- Update to a version of Rack that limits the number of parameters parsed, or
- Use middleware to enforce a maximum query string size or parameter count, or
- Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.
Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-46727 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74202 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74209 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74227 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74205 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.7419 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74157 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74185 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74158 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-46727 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-46727, GHSA-gjh7-p2fx-99vx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-47ja-djzb-2bbw |
|
| 2 |
| url |
VCID-6c1k-vgv4-93ad |
| vulnerability_id |
VCID-6c1k-vgv4-93ad |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44570 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03289 |
| scoring_system |
epss |
| scoring_elements |
0.87155 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.03289 |
| scoring_system |
epss |
| scoring_elements |
0.87172 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.03355 |
| scoring_system |
epss |
| scoring_elements |
0.87342 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.03355 |
| scoring_system |
epss |
| scoring_elements |
0.87332 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.03355 |
| scoring_system |
epss |
| scoring_elements |
0.87336 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87829 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87822 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87801 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44570 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.6.2 |
| purl |
pkg:gem/rack@2.2.6.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.2 |
|
| 3 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44570, GHSA-65f5-mfpf-vfhj, GMS-2023-64
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-6c1k-vgv4-93ad |
|
| 3 |
| url |
VCID-7p12-ejdu-uqgy |
| vulnerability_id |
VCID-7p12-ejdu-uqgy |
| summary |
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary
`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.
## Details
The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.
## Impact
This vulnerability can distort log files, obscure attack traces, and complicate security auditing.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27111 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62516 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62496 |
| published_at |
2026-04-09T12:55:00Z |
|
| 2 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.6248 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62429 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62462 |
| published_at |
2026-04-04T12:55:00Z |
|
| 5 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62431 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68747 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00604 |
| scoring_system |
epss |
| scoring_elements |
0.6959 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27111 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/ |
|
|
| url |
https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.12 |
| purl |
pkg:gem/rack@2.2.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 11 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.12 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
| url |
pkg:gem/rack@3.0.13 |
| purl |
pkg:gem/rack@3.0.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 7 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 8 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 9 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13 |
|
| 3 |
| url |
pkg:gem/rack@3.1.11 |
| purl |
pkg:gem/rack@3.1.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 7 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 8 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 9 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11 |
|
|
| aliases |
CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7p12-ejdu-uqgy |
|
| 4 |
| url |
VCID-7wvj-9h3p-23am |
| vulnerability_id |
VCID-7wvj-9h3p-23am |
| summary |
ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.
### Details
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
### Credits
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-49007 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.6856 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.6859 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68602 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68576 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68558 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68507 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68528 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.6851 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-49007 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-49007, GHSA-47m2-26rw-j2jw
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7wvj-9h3p-23am |
|
| 5 |
| url |
VCID-7zgg-tvu3-r7gt |
| vulnerability_id |
VCID-7zgg-tvu3-r7gt |
| summary |
Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
### Summary
```ruby
module Rack
class MediaType
SPLIT_PATTERN = %r{\s*[;,]\s*}
```
The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.
### PoC
A simple HTTP request with lots of blank characters in the content-type header:
```ruby
request["Content-Type"] = (" " * 50_000) + "a,"
```
### Impact
It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-25126 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58895 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58915 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58932 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.0045 |
| scoring_system |
epss |
| scoring_elements |
0.63689 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.0045 |
| scoring_system |
epss |
| scoring_elements |
0.63673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.0045 |
| scoring_system |
epss |
| scoring_elements |
0.63621 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00463 |
| scoring_system |
epss |
| scoring_elements |
0.64281 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00463 |
| scoring_system |
epss |
| scoring_elements |
0.64253 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-25126 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 12 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 13 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 1 |
| url |
pkg:gem/rack@3.0.9.1 |
| purl |
pkg:gem/rack@3.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1 |
|
|
| aliases |
CVE-2024-25126, GHSA-22f2-v57c-j9cx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7zgg-tvu3-r7gt |
|
| 6 |
| url |
VCID-8zkw-y3yd-yuft |
| vulnerability_id |
VCID-8zkw-y3yd-yuft |
| summary |
Directory traversal in Rack::Directory app bundled with Rack
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8161 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75797 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75759 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75765 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75784 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.7576 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75749 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75735 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75705 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75703 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75715 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8161 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.1.3 |
| purl |
pkg:gem/rack@2.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.3 |
|
| 1 |
| url |
pkg:gem/rack@2.2.0 |
| purl |
pkg:gem/rack@2.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 16 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 17 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 18 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 19 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 20 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 21 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 22 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 23 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 24 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.0 |
|
|
| aliases |
CVE-2020-8161, GHSA-5f9h-9pjv-v6j7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8zkw-y3yd-yuft |
|
| 7 |
| url |
VCID-9rpp-9xss-duf6 |
| vulnerability_id |
VCID-9rpp-9xss-duf6 |
| summary |
Rack has a Directory Traversal via Rack:Directory
## Summary
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).
## Mitigation
* Update to a patched version of Rack that correctly checks the root prefix.
* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-22860 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27712 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27769 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27811 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27903 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27805 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27762 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27695 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27862 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-22860 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9rpp-9xss-duf6 |
|
| 8 |
| url |
VCID-arac-j5h5-zkcu |
| vulnerability_id |
VCID-arac-j5h5-zkcu |
| summary |
Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Versions Affected: >= 1.3.0.
Not affected: < 1.3.0
Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.
Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series
Credits
-------
Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26141 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.59316 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.59334 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.5935 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00399 |
| scoring_system |
epss |
| scoring_elements |
0.60657 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00399 |
| scoring_system |
epss |
| scoring_elements |
0.60642 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00399 |
| scoring_system |
epss |
| scoring_elements |
0.60593 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.0041 |
| scoring_system |
epss |
| scoring_elements |
0.61325 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.0041 |
| scoring_system |
epss |
| scoring_elements |
0.61296 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26141 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 12 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 13 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 1 |
| url |
pkg:gem/rack@3.0.9.1 |
| purl |
pkg:gem/rack@3.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1 |
|
|
| aliases |
CVE-2024-26141, GHSA-xj5v-6v4g-jfw6
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-arac-j5h5-zkcu |
|
| 9 |
| url |
VCID-azu5-jcmd-3ufx |
| vulnerability_id |
VCID-azu5-jcmd-3ufx |
| summary |
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61772 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41238 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41251 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41283 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41261 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41253 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41203 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41278 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41249 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61772 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61772, GHSA-wpv5-97wm-hp9c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azu5-jcmd-3ufx |
|
| 10 |
| url |
VCID-c21j-snf1-d3cb |
| vulnerability_id |
VCID-c21j-snf1-d3cb |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44572 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00262 |
| scoring_system |
epss |
| scoring_elements |
0.4954 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00262 |
| scoring_system |
epss |
| scoring_elements |
0.49513 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50948 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50986 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50964 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53138 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53184 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53192 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44572 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.5 |
| purl |
pkg:gem/rack@2.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.5 |
|
| 3 |
| url |
pkg:gem/rack@2.2.6.1 |
| purl |
pkg:gem/rack@2.2.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1 |
|
| 4 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44572, GHSA-rqv2-275x-2jq5, GMS-2023-66
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c21j-snf1-d3cb |
|
| 11 |
| url |
VCID-c5sc-7qnn-mkb9 |
| vulnerability_id |
VCID-c5sc-7qnn-mkb9 |
| summary |
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61771 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.2699 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27047 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27091 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27087 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27042 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.26973 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27182 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27146 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61771 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| url |
VCID-d58r-22kr-9bct |
| vulnerability_id |
VCID-d58r-22kr-9bct |
| summary |
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61780 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10396 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10418 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10462 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10434 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10368 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10294 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10394 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10328 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61780 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61780, GHSA-r657-rxjc-j557
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct |
|
| 13 |
| url |
VCID-fpg2-nhey-rkcc |
| vulnerability_id |
VCID-fpg2-nhey-rkcc |
| summary |
Rack has possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27530 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0209 |
| scoring_system |
epss |
| scoring_elements |
0.83975 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.0209 |
| scoring_system |
epss |
| scoring_elements |
0.8399 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84192 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84183 |
| published_at |
2026-04-13T12:55:00Z |
|
| 4 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84186 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.02311 |
| scoring_system |
epss |
| scoring_elements |
0.84763 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.02311 |
| scoring_system |
epss |
| scoring_elements |
0.84757 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.02311 |
| scoring_system |
epss |
| scoring_elements |
0.84734 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27530 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.3 |
| purl |
pkg:gem/rack@2.0.9.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 17 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.3 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.3 |
| purl |
pkg:gem/rack@2.1.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 17 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.3 |
|
| 2 |
| url |
pkg:gem/rack@2.2.6.3 |
| purl |
pkg:gem/rack@2.2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 17 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.3 |
|
| 3 |
| url |
pkg:gem/rack@3.0.4.2 |
| purl |
pkg:gem/rack@3.0.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 15 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.2 |
|
|
| aliases |
CVE-2023-27530, GHSA-3h57-hmj3-gj3p, GMS-2023-663
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fpg2-nhey-rkcc |
|
| 14 |
| url |
VCID-gdhf-e8q1-kbat |
| vulnerability_id |
VCID-gdhf-e8q1-kbat |
| summary |
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59830 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21203 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21337 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21392 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21145 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21225 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21287 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21297 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21256 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59830 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
|
| aliases |
CVE-2025-59830, GHSA-625h-95r8-8xpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gdhf-e8q1-kbat |
|
| 15 |
| url |
VCID-gtzk-m9rm-57hw |
| vulnerability_id |
VCID-gtzk-m9rm-57hw |
| summary |
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series
Credits
-------
Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches! |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26146 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00699 |
| scoring_system |
epss |
| scoring_elements |
0.71937 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00699 |
| scoring_system |
epss |
| scoring_elements |
0.71956 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.7232 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.72332 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.72348 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.00775 |
| scoring_system |
epss |
| scoring_elements |
0.73601 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00775 |
| scoring_system |
epss |
| scoring_elements |
0.73552 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00775 |
| scoring_system |
epss |
| scoring_elements |
0.73588 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26146 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.4 |
| purl |
pkg:gem/rack@2.0.9.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 15 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.4 |
| purl |
pkg:gem/rack@2.1.4.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 15 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.4 |
|
| 2 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 12 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 13 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 3 |
| url |
pkg:gem/rack@3.0.9.1 |
| purl |
pkg:gem/rack@3.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1 |
|
|
| aliases |
CVE-2024-26146, GHSA-54rr-7fvw-6x8f
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gtzk-m9rm-57hw |
|
| 16 |
| url |
VCID-jxws-ws21-4uaa |
| vulnerability_id |
VCID-jxws-ws21-4uaa |
| summary |
Moderate severity vulnerability that affects rack
Withdrawn, accidental duplicate publish.
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.5.4 |
| purl |
pkg:gem/rack@1.5.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 26 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.4 |
|
| 1 |
| url |
pkg:gem/rack@1.6.2 |
| purl |
pkg:gem/rack@1.6.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-9xy8-h3y1-mubv |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.2 |
|
|
| aliases |
GHSA-9vc2-p34x-jhxh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxws-ws21-4uaa |
|
| 17 |
| url |
VCID-npag-sz7d-v7b6 |
| vulnerability_id |
VCID-npag-sz7d-v7b6 |
| summary |
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61770 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36695 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36721 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36756 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36747 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3668 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36844 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36812 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61770 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61770, GHSA-p543-xpfm-54cp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-npag-sz7d-v7b6 |
|
| 18 |
| url |
VCID-qt1u-2p37-xfet |
| vulnerability_id |
VCID-qt1u-2p37-xfet |
| summary |
Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30122 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00893 |
| scoring_system |
epss |
| scoring_elements |
0.75542 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00893 |
| scoring_system |
epss |
| scoring_elements |
0.75512 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76909 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76823 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76854 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76864 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76893 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76873 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76867 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30122 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
| reference_url |
https://security.gentoo.org/glsa/202310-18 |
| reference_id |
GLSA-202310-18 |
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/ |
|
|
| url |
https://security.gentoo.org/glsa/202310-18 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.1 |
| purl |
pkg:gem/rack@2.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.1 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.1 |
| purl |
pkg:gem/rack@2.1.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.1 |
|
| 2 |
| url |
pkg:gem/rack@2.2.3.1 |
| purl |
pkg:gem/rack@2.2.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.3.1 |
|
|
| aliases |
CVE-2022-30122, GHSA-hxqx-xwvh-44m2, GMS-2022-1643
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qt1u-2p37-xfet |
|
| 19 |
| url |
VCID-s971-gkdg-jkhc |
| vulnerability_id |
VCID-s971-gkdg-jkhc |
| summary |
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61919 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44737 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44735 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44767 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.4475 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44748 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44695 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44756 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44736 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61919 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61919, GHSA-6xw4-3v39-52mm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc |
|
| 20 |
| url |
VCID-skxv-7he3-xqgc |
| vulnerability_id |
VCID-skxv-7he3-xqgc |
| summary |
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
## Summary
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.
This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.
## Details
`Rack::Directory` renders directory entries using an HTML row template similar to:
```html
<a href='%s'>%s</a>
```
The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:
```html
<a href='javascript:alert(1)'>javascript:alert(1)</a>
```
Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.
## Impact
If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.
When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).
## Mitigation
* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).
* Avoid exposing user-controlled directories via `Rack::Directory`.
* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.
HackerOne profile:
https://hackerone.com/thesmartshadow
GitHub account owner:
Ali Firas (@thesmartshadow) |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25500 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05787 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05793 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05801 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05822 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05797 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05758 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05724 |
| published_at |
2026-04-02T12:55:00Z |
|
| 7 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05764 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25500 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-25500, GHSA-whrj-4476-wvmp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-skxv-7he3-xqgc |
|
| 21 |
| url |
VCID-udc4-7jnt-y3fu |
| vulnerability_id |
VCID-udc4-7jnt-y3fu |
| summary |
Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30123 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83974 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83914 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83937 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83944 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.8396 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83949 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83953 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.02128 |
| scoring_system |
epss |
| scoring_elements |
0.84126 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.02128 |
| scoring_system |
epss |
| scoring_elements |
0.84109 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30123 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.1 |
| purl |
pkg:gem/rack@2.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.1 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.1 |
| purl |
pkg:gem/rack@2.1.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.1 |
|
| 2 |
| url |
pkg:gem/rack@2.2.3.1 |
| purl |
pkg:gem/rack@2.2.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.3.1 |
|
|
| aliases |
CVE-2022-30123, GHSA-wq4h-7r42-5hrr, GMS-2022-1644
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-udc4-7jnt-y3fu |
|
| 22 |
| url |
VCID-vkrw-y1j6-6fe7 |
| vulnerability_id |
VCID-vkrw-y1j6-6fe7 |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44571 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03289 |
| scoring_system |
epss |
| scoring_elements |
0.87155 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.03289 |
| scoring_system |
epss |
| scoring_elements |
0.87172 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87841 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87801 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87822 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87829 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87833 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87835 |
| published_at |
2026-04-12T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44571 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.6.1 |
| purl |
pkg:gem/rack@2.2.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1 |
|
| 3 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| url |
VCID-w732-52bx-2qf8 |
| vulnerability_id |
VCID-w732-52bx-2qf8 |
| summary |
Possible Log Injection in Rack::CommonLogger
## Summary
`Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.
## Details
When a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes.
The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.
## Impact
Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.
## Mitigation
- Update to the latest version of Rack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-25184 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77416 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.7742 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.7744 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77414 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77405 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77375 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.01068 |
| scoring_system |
epss |
| scoring_elements |
0.77685 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.01068 |
| scoring_system |
epss |
| scoring_elements |
0.77658 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-25184 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
5.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
5.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/ |
|
|
| url |
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.11 |
| purl |
pkg:gem/rack@2.2.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 12 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.11 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
| url |
pkg:gem/rack@3.0.12 |
| purl |
pkg:gem/rack@3.0.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.12 |
|
| 3 |
| url |
pkg:gem/rack@3.1.10 |
| purl |
pkg:gem/rack@3.1.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.10 |
|
|
| aliases |
CVE-2025-25184, GHSA-7g2v-jj9q-g3rg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w732-52bx-2qf8 |
|
| 24 |
| url |
VCID-wt7k-s1yd-nke6 |
| vulnerability_id |
VCID-wt7k-s1yd-nke6 |
| summary |
Local File Inclusion in Rack::Static
## Summary
`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.
## Details
The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.
## Impact
By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Static`, or
- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.
It is likely that a CDN or similar static file server would also mitigate the issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27610 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61664 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61684 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61695 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61674 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61659 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.6164 |
| published_at |
2026-04-04T12:55:00Z |
|
| 6 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61611 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27610 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.13 |
| purl |
pkg:gem/rack@2.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.13 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-27610, GHSA-7wqh-767x-r66v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wt7k-s1yd-nke6 |
|
| 25 |
| url |
VCID-xazq-qrm1-9ff6 |
| vulnerability_id |
VCID-xazq-qrm1-9ff6 |
| summary |
Rack session gets restored after deletion
### Summary
When using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
### Details
[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270) prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.
### Impact
When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.
## Mitigation
- Update to the latest version of `rack`, or
- Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse, or
- Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
### Related
As this code was moved to `rack-session` in Rack 3+, see <https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj> for the equivalent advisory in `rack-session` (affecting Rack 3+ only). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-32441 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26514 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26571 |
| published_at |
2026-04-12T12:55:00Z |
|
| 2 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26617 |
| published_at |
2026-04-11T12:55:00Z |
|
| 3 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26612 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26563 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26495 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26709 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26667 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-32441 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-32441, GHSA-vpfw-47h7-xj4g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xazq-qrm1-9ff6 |
|
| 26 |
| url |
VCID-xkah-9nv9-wufd |
| vulnerability_id |
VCID-xkah-9nv9-wufd |
| summary |
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27539 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00328 |
| scoring_system |
epss |
| scoring_elements |
0.55815 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00328 |
| scoring_system |
epss |
| scoring_elements |
0.55793 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56392 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56416 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56374 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58481 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58487 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58428 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27539 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.6.4 |
| purl |
pkg:gem/rack@2.2.6.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4 |
|
| 1 |
| url |
pkg:gem/rack@3.0.6.1 |
| purl |
pkg:gem/rack@3.0.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1 |
|
|
| aliases |
CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xkah-9nv9-wufd |
|
| 27 |
| url |
VCID-xnz5-gv2x-17bk |
| vulnerability_id |
VCID-xnz5-gv2x-17bk |
| summary |
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8184 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77742 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77705 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77706 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77722 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77696 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.7769 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77662 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.01162 |
| scoring_system |
epss |
| scoring_elements |
0.7859 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01162 |
| scoring_system |
epss |
| scoring_elements |
0.78559 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.01162 |
| scoring_system |
epss |
| scoring_elements |
0.78552 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8184 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.1.4 |
| purl |
pkg:gem/rack@2.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4 |
|
| 1 |
| url |
pkg:gem/rack@2.2.3 |
| purl |
pkg:gem/rack@2.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 16 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 17 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 18 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 19 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 20 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 21 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 22 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 23 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.3 |
|
|
| aliases |
CVE-2020-8184, GHSA-j6w9-fv6q-3q52
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xnz5-gv2x-17bk |
|
| 28 |
| url |
VCID-yw62-qbkq-9ygq |
| vulnerability_id |
VCID-yw62-qbkq-9ygq |
| summary |
Possible Information Leak / Session Hijack Vulnerability in Rack
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.
The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
### Impact
The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.
## Releases
The 1.6.12 and 2.0.8 releases are available at the normal locations.
### Workarounds
There are no known workarounds.
### Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 1-6-session-timing-attack.patch - Patch for 1.6 series
* 2-0-session-timing-attack.patch - Patch for 2.6 series
### Credits
Thanks Will Leinweber for reporting this! |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-16782 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.7936 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79361 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79334 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79345 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79336 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79327 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79301 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79315 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79291 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79285 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-16782 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.6.12 |
| purl |
pkg:gem/rack@1.6.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.12 |
|
| 1 |
| url |
pkg:gem/rack@2.0.0.alpha |
| purl |
pkg:gem/rack@2.0.0.alpha |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.0.alpha |
|
| 2 |
| url |
pkg:gem/rack@2.0.8 |
| purl |
pkg:gem/rack@2.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.8 |
|
|
| aliases |
CVE-2019-16782, GHSA-hrqr-hxpp-chr3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yw62-qbkq-9ygq |
|