Package Instance

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:43:52Z/

url

https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34831.yml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34831.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34831

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34831

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454504
reference_id	2454504
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454504

reference_url	https://github.com/advisories/GHSA-q2ww-5357-x388
reference_id	GHSA-q2ww-5357-x388
reference_type
scores
url	https://github.com/advisories/GHSA-q2ww-5357-x388

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34831, GHSA-q2ww-5357-x388

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1pt2-23bn-7qev

url VCID-21pz-m7dy-8bey

vulnerability_id VCID-21pz-m7dy-8bey

summary github.com/rack/rack: Rack: Content smuggling via multipart boundary parsing mismatch

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26961

reference_id

reference_type

scores

value	0.00014
scoring_system	epss
scoring_elements	0.02889
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26961

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3

reference_url

reference_id

reference_type

scores

value	3.7
scoring_system	cvssv3
scoring_elements

value	3.7
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:57:50Z/

url

https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-26961.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-26961.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-26961

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-26961

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454483
reference_id	2454483
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454483

reference_url	https://github.com/advisories/GHSA-vgpv-f759-9wx3
reference_id	GHSA-vgpv-f759-9wx3
reference_type
scores
url	https://github.com/advisories/GHSA-vgpv-f759-9wx3

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-26961, GHSA-vgpv-f759-9wx3

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-21pz-m7dy-8bey

url VCID-3bh7-vrvj-p3g1

vulnerability_id VCID-3bh7-vrvj-p3g1

summary rack: Rack: Parameter smuggling via improper Forwarded header parsing

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-32762

reference_id

reference_type

scores

value	0.00048
scoring_system	epss
scoring_elements	0.15406
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-32762

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:32Z/

url

https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-32762.yml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-32762.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-32762

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-32762

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454489
reference_id	2454489
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454489

reference_url	https://github.com/advisories/GHSA-qfgr-crr9-7r49
reference_id	GHSA-qfgr-crr9-7r49
reference_type
scores
url	https://github.com/advisories/GHSA-qfgr-crr9-7r49

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-32762, GHSA-qfgr-crr9-7r49

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3bh7-vrvj-p3g1

url VCID-6hht-91zy-fqdf

vulnerability_id VCID-6hht-91zy-fqdf

summary rack: Rack: Denial of Service via crafted Accept-Encoding header

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34230

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06608
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34230

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:56:03Z/

url

https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34230.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34230.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34230

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34230

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454493
reference_id	2454493
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454493

reference_url	https://github.com/advisories/GHSA-v569-hp3g-36wr
reference_id	GHSA-v569-hp3g-36wr
reference_type
scores
url	https://github.com/advisories/GHSA-v569-hp3g-36wr

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34230, GHSA-v569-hp3g-36wr

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6hht-91zy-fqdf

url VCID-6t6w-vvzt-fqd9

vulnerability_id VCID-6t6w-vvzt-fqd9

summary github.com/rack/rack: Rack: Information disclosure via incorrect static file serving prefix check

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34785

reference_id

reference_type

scores

value	0.00047
scoring_system	epss
scoring_elements	0.14816
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34785

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:58:57Z/

url

https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34785.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34785.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34785

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34785

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454486
reference_id	2454486
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454486

reference_url	https://github.com/advisories/GHSA-h2jq-g4cq-5ppq
reference_id	GHSA-h2jq-g4cq-5ppq
reference_type
scores
url	https://github.com/advisories/GHSA-h2jq-g4cq-5ppq

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34785, GHSA-h2jq-g4cq-5ppq

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6t6w-vvzt-fqd9

url VCID-7pey-8xge-1fbz

vulnerability_id VCID-7pey-8xge-1fbz

summary rack: Rack: Denial of Service via unbounded multipart file upload

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34829

reference_id

reference_type

scores

value	0.00065
scoring_system	epss
scoring_elements	0.20368
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34829

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:27Z/

url

https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34829.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34829.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34829

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34829

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454488
reference_id	2454488
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454488

reference_url	https://github.com/advisories/GHSA-8vqr-qjwx-82mw
reference_id	GHSA-8vqr-qjwx-82mw
reference_type
scores
url	https://github.com/advisories/GHSA-8vqr-qjwx-82mw

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34829, GHSA-8vqr-qjwx-82mw

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7pey-8xge-1fbz

url VCID-8rbg-wrmj-1bcu

vulnerability_id VCID-8rbg-wrmj-1bcu

summary rack: Rack: Information disclosure via regular expression injection in X-Accel-Mapping header

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34830

reference_id

reference_type

scores

value	0.00047
scoring_system	epss
scoring_elements	0.14816
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34830

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7

reference_url

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:59:36Z/

url

https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34830.yml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34830.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34830

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34830

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454510
reference_id	2454510
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454510

reference_url	https://github.com/advisories/GHSA-qv7j-4883-hwh7
reference_id	GHSA-qv7j-4883-hwh7
reference_type
scores
url	https://github.com/advisories/GHSA-qv7j-4883-hwh7

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34830, GHSA-qv7j-4883-hwh7

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8rbg-wrmj-1bcu

url VCID-dchf-rhvg-zycw

vulnerability_id VCID-dchf-rhvg-zycw

summary rack: Rack: Host header poisoning due to malformed Host header bypasses validation

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34835

reference_id

reference_type

scores

value	0.00152
scoring_system	epss
scoring_elements	0.35557
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34835

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:43:54Z/

url

https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34835.yml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34835.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34835

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34835

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454482
reference_id	2454482
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454482

reference_url	https://github.com/advisories/GHSA-g2pf-xv49-m2h5
reference_id	GHSA-g2pf-xv49-m2h5
reference_type
scores
url	https://github.com/advisories/GHSA-g2pf-xv49-m2h5

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34835, GHSA-g2pf-xv49-m2h5

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dchf-rhvg-zycw

url VCID-j3e9-y38h-xbbu

vulnerability_id VCID-j3e9-y38h-xbbu

summary rack: Rack: Security header bypass via URL-encoded static path requests

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34786

reference_id

reference_type

scores

value	0.00044
scoring_system	epss
scoring_elements	0.13787
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34786

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:37:20Z/

url

https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34786.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34786.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34786

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34786

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454507
reference_id	2454507
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454507

reference_url	https://github.com/advisories/GHSA-q4qf-9j86-f5mh
reference_id	GHSA-q4qf-9j86-f5mh
reference_type
scores
url	https://github.com/advisories/GHSA-q4qf-9j86-f5mh

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34786, GHSA-q4qf-9j86-f5mh

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-j3e9-y38h-xbbu

url VCID-mftr-ma4j-mbhy

vulnerability_id VCID-mftr-ma4j-mbhy

summary rack: Rack: Denial of Service via malicious HTTP Range header

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34826

reference_id

reference_type

scores

value	0.00021
scoring_system	epss
scoring_elements	0.06114
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34826

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:34Z/

url

https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34826.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34826.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34826

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34826

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454508
reference_id	2454508
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454508

reference_url	https://github.com/advisories/GHSA-x8cg-fq8g-mxfx
reference_id	GHSA-x8cg-fq8g-mxfx
reference_type
scores
url	https://github.com/advisories/GHSA-x8cg-fq8g-mxfx

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34826, GHSA-x8cg-fq8g-mxfx

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mftr-ma4j-mbhy

url VCID-tzca-xm43-xugs

vulnerability_id VCID-tzca-xm43-xugs

summary rack: Rack: Denial of Service via crafted multipart/form-data requests

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34827.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34827.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34827

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06581
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34827

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34827
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34827

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:04Z/

url

https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34827.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34827.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34827

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34827

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454501
reference_id	2454501
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454501

reference_url	https://github.com/advisories/GHSA-v6x5-cg8r-vv6x
reference_id	GHSA-v6x5-cg8r-vv6x
reference_type
scores
url	https://github.com/advisories/GHSA-v6x5-cg8r-vv6x

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34827, GHSA-v6x5-cg8r-vv6x

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tzca-xm43-xugs

url VCID-vch5-2deq-euaq

vulnerability_id VCID-vch5-2deq-euaq

summary rack: Rack: Information disclosure via regular expression metacharacters in root path

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-34763

reference_id

reference_type

scores

value	0.00041
scoring_system	epss
scoring_elements	0.12991
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-34763

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:04Z/

url

https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34763.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34763.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-34763

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-34763

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454498
reference_id	2454498
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454498

reference_url	https://github.com/advisories/GHSA-7mqq-6cf9-v2qp
reference_id	GHSA-7mqq-6cf9-v2qp
reference_type
scores
url	https://github.com/advisories/GHSA-7mqq-6cf9-v2qp

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-34763, GHSA-7mqq-6cf9-v2qp

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vch5-2deq-euaq

url VCID-x316-jquh-63ek

vulnerability_id VCID-x316-jquh-63ek

summary rack: Rack: Header injection and response splitting via incorrect multipart header parsing

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26962.json

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26962.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-26962

reference_id

reference_type

scores

value	0.00022
scoring_system	epss
scoring_elements	0.06518
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-26962

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26962
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26962

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv

reference_url

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3
scoring_elements

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:31:17Z/

url

https://github.com/rack/rack/security/advisories/GHSA-rx22-g9mx-qrhv

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-26962.yml

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-26962.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-26962

reference_id

reference_type

scores

value	4.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-26962

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2454511
reference_id	2454511
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2454511

reference_url	https://github.com/advisories/GHSA-rx22-g9mx-qrhv
reference_id	GHSA-rx22-g9mx-qrhv
reference_type
scores
url	https://github.com/advisories/GHSA-rx22-g9mx-qrhv

reference_url	https://usn.ubuntu.com/8182-1/
reference_id	USN-8182-1
reference_type
scores
url	https://usn.ubuntu.com/8182-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-26962, GHSA-rx22-g9mx-qrhv

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x316-jquh-63ek

Fixing_vulnerabilities

url VCID-1nzv-zger-fka9

vulnerability_id VCID-1nzv-zger-fka9

summary

Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack.  This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected:  >= 1.3.0.
Not affected:       < 1.3.0
Fixed Versions:     3.0.9.1, 2.2.8.1

Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series

Credits
-------

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26141

reference_id

reference_type

scores

value	0.0041
scoring_system	epss
scoring_elements	0.61607
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26141

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146

reference_url

https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/

url

https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9

reference_url

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/

url

https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9

reference_url

https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/

url

https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b

reference_url

https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/

url

https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26141

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26141

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id	1064516
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2265594
reference_id	2265594
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2265594

reference_url

https://github.com/advisories/GHSA-xj5v-6v4g-jfw6

reference_id

GHSA-xj5v-6v4g-jfw6

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xj5v-6v4g-jfw6

reference_url

https://security.netapp.com/advisory/ntap-20240510-0007/

reference_id

ntap-20240510-0007

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/

url

https://security.netapp.com/advisory/ntap-20240510-0007/

reference_url	https://access.redhat.com/errata/RHSA-2024:10806
reference_id	RHSA-2024:10806
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10806

reference_url	https://access.redhat.com/errata/RHSA-2024:1841
reference_id	RHSA-2024:1841
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1841

reference_url	https://access.redhat.com/errata/RHSA-2024:1846
reference_id	RHSA-2024:1846
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1846

reference_url	https://access.redhat.com/errata/RHSA-2024:2007
reference_id	RHSA-2024:2007
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2007

reference_url	https://access.redhat.com/errata/RHSA-2024:2113
reference_id	RHSA-2024:2113
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2113

reference_url	https://access.redhat.com/errata/RHSA-2024:2581
reference_id	RHSA-2024:2581
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2581

reference_url	https://access.redhat.com/errata/RHSA-2024:2584
reference_id	RHSA-2024:2584
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2584

reference_url	https://access.redhat.com/errata/RHSA-2024:2953
reference_id	RHSA-2024:2953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2953

reference_url	https://access.redhat.com/errata/RHSA-2024:3431
reference_id	RHSA-2024:3431
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3431

reference_url	https://usn.ubuntu.com/6689-1/
reference_id	USN-6689-1
reference_type
scores
url	https://usn.ubuntu.com/6689-1/

reference_url	https://usn.ubuntu.com/6837-1/
reference_id	USN-6837-1
reference_type
scores
url	https://usn.ubuntu.com/6837-1/

reference_url	https://usn.ubuntu.com/6837-2/
reference_id	USN-6837-2
reference_type
scores
url	https://usn.ubuntu.com/6837-2/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.7-1.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.7-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.7-1.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2024-26141, GHSA-xj5v-6v4g-jfw6

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-1nzv-zger-fka9

url VCID-2zdv-mr4w-zkfg

vulnerability_id VCID-2zdv-mr4w-zkfg

summary rubygem-rack: Improper handling of headers in `Rack::Sendfile` may allow proxy bypass

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61780

reference_id

reference_type

scores

value	0.00011
scoring_system	epss
scoring_elements	0.01466
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61780

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784

reference_url

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784

reference_url

https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a

reference_url

https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85

reference_url

https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3
scoring_elements

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61780

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61780

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id	1117855
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id	2403126
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2403126

reference_url

https://github.com/advisories/GHSA-r657-rxjc-j557

reference_id

GHSA-r657-rxjc-j557

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-r657-rxjc-j557

reference_url	https://usn.ubuntu.com/7960-1/
reference_id	USN-7960-1
reference_type
scores
url	https://usn.ubuntu.com/7960-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-61780, GHSA-r657-rxjc-j557

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-2zdv-mr4w-zkfg

url VCID-31yn-1jfq-z7am

vulnerability_id VCID-31yn-1jfq-z7am

summary

Directory traversal in Rack::Directory app bundled with Rack
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8161.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8161.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8161

reference_id

reference_type

scores

value	0.00907
scoring_system	epss
scoring_elements	0.76104
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8161

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8161
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8161

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e

reference_url

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/dddb7ad18ed79ca6ab06ccc417a169fde451246e

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8161.yml

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8161.yml

reference_url

https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3
scoring_elements

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/ruby-security-ann/T4ZIsfRf2eA

reference_url

https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/IOO1vNZTzPA

reference_url

https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html

reference_url

https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8161

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8161

reference_url

reference_id

reference_type

scores

value	8.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-5f9h-9pjv-v6j7

reference_url	https://usn.ubuntu.com/4561-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4561-1/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1838281
reference_id	1838281
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1838281

reference_url

reference_id

GHSA-5f9h-9pjv-v6j7

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5f9h-9pjv-v6j7

reference_url	https://access.redhat.com/errata/RHSA-2020:4366
reference_id	RHSA-2020:4366
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:4366

reference_url	https://usn.ubuntu.com/4561-2/
reference_id	USN-4561-2
reference_type
scores
url	https://usn.ubuntu.com/4561-2/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.1-5?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.1-5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.1-5%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2020-8161, GHSA-5f9h-9pjv-v6j7

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-31yn-1jfq-z7am

url VCID-3c3t-sa76-j3bv

vulnerability_id VCID-3c3t-sa76-j3bv

summary

Rack vulnerable to Cross-site Scripting
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by the `scheme` method on `Rack::Request`. Applications that expect the scheme to be limited to 'http' or 'https' and do not escape the return value could be vulnerable to an XSS attack. Note that applications using the normal escaping mechanisms provided by Rails may not impacted, but applications that bypass the escaping mechanisms, or do not use them may be vulnerable.

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2019-06/msg00032.html

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16471.json

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16471.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-16471

reference_id

reference_type

scores

value	0.00829
scoring_system	epss
scoring_elements	0.74838
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-16471

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-16471

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml

reference_url

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16471.yml

reference_url

https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rubyonrails-security/GKsAFT924Ag

reference_url

https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3
scoring_elements

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/ruby-security-ann/NAalCee8n6o

reference_url

https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2018/11/msg00022.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-16471

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-16471

reference_url

https://usn.ubuntu.com/4089-1

reference_id

reference_type

scores

value	6.1
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://usn.ubuntu.com/4089-1

reference_url	https://usn.ubuntu.com/4089-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4089-1/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1646818
reference_id	1646818
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1646818

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005
reference_id	913005
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913005

reference_url

https://github.com/advisories/GHSA-5r2p-j47h-mhpg

reference_id

GHSA-5r2p-j47h-mhpg

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-5r2p-j47h-mhpg

fixed_packages

url	pkg:deb/debian/ruby-rack@1.6.4-6?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.6.4-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.6.4-6%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2018-16471, GHSA-5r2p-j47h-mhpg

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3c3t-sa76-j3bv

url VCID-4umy-say3-ruad

vulnerability_id VCID-4umy-say3-ruad

summary rubygem-rack: Rack stored XSS in Rack::Directory

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-25500

reference_id

reference_type

scores

value	0.00025
scoring_system	epss
scoring_elements	0.07554
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-25500

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff

reference_url

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/

url

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff

reference_url

https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/

url

https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25500

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25500

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
reference_id	1128480
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2440738
reference_id	2440738
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2440738

reference_url

https://github.com/advisories/GHSA-whrj-4476-wvmp

reference_id

GHSA-whrj-4476-wvmp

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-whrj-4476-wvmp

reference_url	https://usn.ubuntu.com/8066-1/
reference_id	USN-8066-1
reference_type
scores
url	https://usn.ubuntu.com/8066-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u5?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u5%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.5-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.5-1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-25500, GHSA-whrj-4476-wvmp

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-4umy-say3-ruad

url VCID-5kyg-kwck-akaf

vulnerability_id VCID-5kyg-kwck-akaf

summary

Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack.  This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected:  All.
Not affected:       None
Fixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series

Credits
-------

Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-26146

reference_id

reference_type

scores

value	0.00775
scoring_system	epss
scoring_elements	0.73907
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-26146

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146

reference_url

https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716

reference_url

https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582

reference_url

https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f

reference_url

https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd

reference_url

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26146

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26146

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id	1064516
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2265595
reference_id	2265595
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2265595

reference_url

https://github.com/advisories/GHSA-54rr-7fvw-6x8f

reference_id

GHSA-54rr-7fvw-6x8f

reference_type

scores

value	LOW
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-54rr-7fvw-6x8f

reference_url

https://security.netapp.com/advisory/ntap-20240510-0006/

reference_id

ntap-20240510-0006

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://security.netapp.com/advisory/ntap-20240510-0006/

reference_url	https://access.redhat.com/errata/RHSA-2024:10806
reference_id	RHSA-2024:10806
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10806

reference_url	https://access.redhat.com/errata/RHSA-2024:1841
reference_id	RHSA-2024:1841
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1841

reference_url	https://access.redhat.com/errata/RHSA-2024:1846
reference_id	RHSA-2024:1846
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1846

reference_url	https://access.redhat.com/errata/RHSA-2024:2007
reference_id	RHSA-2024:2007
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2007

reference_url	https://access.redhat.com/errata/RHSA-2024:2113
reference_id	RHSA-2024:2113
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2113

reference_url	https://access.redhat.com/errata/RHSA-2024:2581
reference_id	RHSA-2024:2581
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2581

reference_url	https://access.redhat.com/errata/RHSA-2024:2584
reference_id	RHSA-2024:2584
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2584

reference_url	https://access.redhat.com/errata/RHSA-2024:2953
reference_id	RHSA-2024:2953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2953

reference_url	https://access.redhat.com/errata/RHSA-2024:3431
reference_id	RHSA-2024:3431
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3431

reference_url	https://usn.ubuntu.com/6689-1/
reference_id	USN-6689-1
reference_type
scores
url	https://usn.ubuntu.com/6689-1/

reference_url	https://usn.ubuntu.com/6837-1/
reference_id	USN-6837-1
reference_type
scores
url	https://usn.ubuntu.com/6837-1/

reference_url	https://usn.ubuntu.com/6837-2/
reference_id	USN-6837-2
reference_type
scores
url	https://usn.ubuntu.com/6837-2/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.7-1.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.7-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.7-1.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2024-26146, GHSA-54rr-7fvw-6x8f

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5kyg-kwck-akaf

url VCID-5pry-5agj-tygz

vulnerability_id VCID-5pry-5agj-tygz

summary rubygem-rack: Rack Directory Traversal via Rack:Directory

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2026-22860

reference_id

reference_type

scores

value	0.00123
scoring_system	epss
scoring_elements	0.31135
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2026-22860

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/

url

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

reference_url

https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/

url

https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-22860

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-22860

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
reference_id	1128479
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2440737
reference_id	2440737
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2440737

reference_url

https://github.com/advisories/GHSA-mxw3-3hh2-x2mh

reference_id

GHSA-mxw3-3hh2-x2mh

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-mxw3-3hh2-x2mh

reference_url	https://usn.ubuntu.com/8066-1/
reference_id	USN-8066-1
reference_type
scores
url	https://usn.ubuntu.com/8066-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u5?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u5?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u5%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.5-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.5-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.5-1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2026-22860, GHSA-mxw3-3hh2-x2mh

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-5pry-5agj-tygz

url VCID-64vt-66fw-53dk

vulnerability_id VCID-64vt-66fw-53dk

summary

Rack vulnerable to Denial of Service
Unspecified vulnerability in `Rack::Auth::AbstractRequest` in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings."

references

reference_url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2013:0548

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2013:0548

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0184.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0184.json

reference_url

https://access.redhat.com/security/cve/CVE-2013-0184

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2013-0184

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-0184

reference_id

reference_type

scores

value	0.00677
scoring_system	epss
scoring_elements	0.71852
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-0184

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=895384

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=895384

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0184
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0184

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/1f61549529d07abd4aa512b8320ab0e97dcacc5d

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/1f61549529d07abd4aa512b8320ab0e97dcacc5d

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2013-0184

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2013-0184

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-v882-ccj6-jc48

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440
reference_id	698440
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440

reference_url

reference_id

GHSA-v882-ccj6-jc48

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-v882-ccj6-jc48

reference_url	https://security.gentoo.org/glsa/201405-10
reference_id	GLSA-201405-10
reference_type
scores
url	https://security.gentoo.org/glsa/201405-10

fixed_packages

url	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.4.1-2.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2013-0184, GHSA-v882-ccj6-jc48, OSV-89327

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-64vt-66fw-53dk

url VCID-6jed-427q-gbev

vulnerability_id VCID-6jed-427q-gbev

summary

Rack vulnerable to Denial of Service
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multipart parser to enter a pathological state, causing the parser to use CPU resources disproportionate to the request size.

references

reference_url

https://access.redhat.com/errata/RHSA-2019:3172

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/errata/RHSA-2019:3172

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16470.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2018-16470.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2018-16470

reference_id

reference_type

scores

value	0.00177
scoring_system	epss
scoring_elements	0.38972
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2018-16470

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16470.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2018-16470.yml

reference_url

https://groups.google.com/forum/#!msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rubyonrails-security/U_x-YkfuVTg/xhvYAmp6AAAJ

reference_url

https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/ruby-security-ann/Dz4sRl-ktKk

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2018-16470

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2018-16470

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1646814
reference_id	1646814
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1646814

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913003
reference_id	913003
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=913003

reference_url

https://github.com/advisories/GHSA-hg78-4f6x-99wq

reference_id

GHSA-hg78-4f6x-99wq

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hg78-4f6x-99wq

fixed_packages

url	pkg:deb/debian/ruby-rack@0?distro=trixie
purl	pkg:deb/debian/ruby-rack@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@0%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2018-16470, GHSA-hg78-4f6x-99wq

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-6jed-427q-gbev

url VCID-87hv-57m8-4qey

vulnerability_id VCID-87hv-57m8-4qey

summary rack: rubygem-rack: Local File Inclusion in Rack::Static

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27610

reference_id

reference_type

scores

value	0.01854
scoring_system	epss
scoring_elements	0.83334
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27610

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27610
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27610

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:22:45Z/

url

https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583

reference_url

https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:22:45Z/

url

https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml

reference_url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27610

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27610

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444
reference_id	1100444
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2351231
reference_id	2351231
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2351231

reference_url	https://github.com/advisories/GHSA-7wqh-767x-r66v
reference_id	GHSA-7wqh-767x-r66v
reference_type
scores
url	https://github.com/advisories/GHSA-7wqh-767x-r66v

reference_url	https://access.redhat.com/errata/RHSA-2025:3448
reference_id	RHSA-2025:3448
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3448

reference_url	https://access.redhat.com/errata/RHSA-2025:3490
reference_id	RHSA-2025:3490
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3490

reference_url	https://access.redhat.com/errata/RHSA-2025:3491
reference_id	RHSA-2025:3491
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3491

reference_url	https://access.redhat.com/errata/RHSA-2025:3492
reference_id	RHSA-2025:3492
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3492

reference_url	https://access.redhat.com/errata/RHSA-2025:3906
reference_id	RHSA-2025:3906
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:3906

reference_url	https://access.redhat.com/errata/RHSA-2025:4576
reference_id	RHSA-2025:4576
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:4576

reference_url	https://usn.ubuntu.com/7366-1/
reference_id	USN-7366-1
reference_type
scores
url	https://usn.ubuntu.com/7366-1/

reference_url	https://usn.ubuntu.com/7366-2/
reference_id	USN-7366-2
reference_type
scores
url	https://usn.ubuntu.com/7366-2/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u3%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.12-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-27610, GHSA-7wqh-767x-r66v

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-87hv-57m8-4qey

url VCID-8kwp-wuv8-gqf8

vulnerability_id VCID-8kwp-wuv8-gqf8

summary rubygem-rack: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61919

reference_id

reference_type

scores

value	0.00282
scoring_system	epss
scoring_elements	0.51764
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61919

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

reference_url

https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

reference_url

https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

reference_url

https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61919

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61919

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id	1117856
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id	2403180
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2403180

reference_url

https://github.com/advisories/GHSA-6xw4-3v39-52mm

reference_id

GHSA-6xw4-3v39-52mm

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-6xw4-3v39-52mm

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19832
reference_id	RHSA-2025:19832
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19832

reference_url	https://access.redhat.com/errata/RHSA-2025:19855
reference_id	RHSA-2025:19855
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19855

reference_url	https://access.redhat.com/errata/RHSA-2025:19856
reference_id	RHSA-2025:19856
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19856

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://access.redhat.com/errata/RHSA-2025:21696
reference_id	RHSA-2025:21696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21696

reference_url	https://usn.ubuntu.com/7960-1/
reference_id	USN-7960-1
reference_type
scores
url	https://usn.ubuntu.com/7960-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8kwp-wuv8-gqf8

url VCID-9dqs-zbmn-b7e4

vulnerability_id VCID-9dqs-zbmn-b7e4

summary rack: Rack memory exhaustion denial of service

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61772

reference_id

reference_type

scores

value	0.00324
scoring_system	epss
scoring_elements	0.55636
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61772

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_url

https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61772

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61772

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id	1117627
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402200
reference_id	2402200
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402200

reference_url

https://github.com/advisories/GHSA-wpv5-97wm-hp9c

reference_id

GHSA-wpv5-97wm-hp9c

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wpv5-97wm-hp9c

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://usn.ubuntu.com/7960-1/
reference_id	USN-7960-1
reference_type
scores
url	https://usn.ubuntu.com/7960-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-61772, GHSA-wpv5-97wm-hp9c

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9dqs-zbmn-b7e4

url VCID-9smu-4k8c-3kh2

vulnerability_id VCID-9smu-4k8c-3kh2

summary rubygem-rack: crafted multipart POST request may cause a DoS

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30122.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30122.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-30122

reference_id

reference_type

scores

value	0.00989
scoring_system	epss
scoring_elements	0.77163
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://discuss.rubyonrails.org/t/cve-2022-30122-denial-of-service-vulnerability-in-rack-multipart-parsing/80729

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30122.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/L2Axto442qk

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-30122

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-30122

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://security.netapp.com/advisory/ntap-20231208-0012

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0012

reference_url

https://security.netapp.com/advisory/ntap-20231208-0012/

reference_id

reference_type

scores

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://security.netapp.com/advisory/ntap-20231208-0012/

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/

url

https://github.com/advisories/GHSA-hxqx-xwvh-44m2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2099519
reference_id	2099519
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2099519

reference_url

reference_id

GHSA-hxqx-xwvh-44m2

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hxqx-xwvh-44m2

reference_url	https://access.redhat.com/errata/RHSA-2022:7242
reference_id	RHSA-2022:7242
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7242

reference_url	https://access.redhat.com/errata/RHSA-2023:1486
reference_id	RHSA-2023:1486
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1486

reference_url	https://usn.ubuntu.com/5896-1/
reference_id	USN-5896-1
reference_type
scores
url	https://usn.ubuntu.com/5896-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

reference_url	https://usn.ubuntu.com/USN-5253-1/
reference_id	USN-USN-5253-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5253-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-30122, GHSA-hxqx-xwvh-44m2

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9smu-4k8c-3kh2

url VCID-a6k6-15zc-duaw

vulnerability_id VCID-a6k6-15zc-duaw

summary

Rack Vulnerable to Path Traversal
`rack/file.rb` (`Rack::File`) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted `PATH_INFO` environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

references

reference_url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_url	http://rack.github.com/
reference_id
reference_type
scores
url	http://rack.github.com/

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0262.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0262.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-0262

reference_id

reference_type

scores

value	0.01263
scoring_system	epss
scoring_elements	0.79746
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-0262

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=909072

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=909072

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0262
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0262

reference_url

https://gist.github.com/rentzsch/4736940

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/rentzsch/4736940

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/master/lib/rack/file.rb#L56

reference_url

https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2013-0262.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2013-0262.yml

reference_url

https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

reference_url

https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2013-0262

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2013-0262

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700173
reference_id	700173
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700173

reference_url

https://github.com/advisories/GHSA-85r7-w5mv-c849

reference_id

GHSA-85r7-w5mv-c849

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-85r7-w5mv-c849

reference_url	https://security.gentoo.org/glsa/201405-10
reference_id	GLSA-201405-10
reference_type
scores
url	https://security.gentoo.org/glsa/201405-10

fixed_packages

url	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.4.1-2.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2013-0262, GHSA-85r7-w5mv-c849, OSV-89938

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-a6k6-15zc-duaw

url VCID-acqj-mqdw-tfe8

vulnerability_id VCID-acqj-mqdw-tfe8

summary

Rack Gem Subject to Denial of Service via Hash Collisions
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the ability to trigger hash collisions predictably, which allows remote attackers to cause a denial of service (CPU consumption) by sending many crafted parameters.

references

reference_url	http://osvdb.org/show/osvdb/78121
reference_id
reference_type
scores
url	http://osvdb.org/show/osvdb/78121

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-5036.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2011-5036.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2011-5036

reference_id

reference_type

scores

value	0.01278
scoring_system	epss
scoring_elements	0.79871
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2011-5036

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5036
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-5036

reference_url

https://gist.github.com/52bbc6b9cc19ce330829

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/52bbc6b9cc19ce330829

reference_url	https://github.com/rack/rack/commit/09c5e53f11a491c25bef873ed146842f3cd03228
reference_id
reference_type
scores
url	https://github.com/rack/rack/commit/09c5e53f11a491c25bef873ed146842f3cd03228

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2011-5036.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2011-5036

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2011-5036

reference_url

https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20120201040317/http://jruby.org/2011/12/27/jruby-1-6-5-1

reference_url

https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://web.archive.org/web/20130213132312/http://archives.neohapsis.com/archives/bugtraq/2011-12/0181.html

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.kb.cert.org/vuls/id/903934

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.kb.cert.org/vuls/id/903934

reference_url

http://www.nruns.com/_downloads/advisory28122011.pdf

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.nruns.com/_downloads/advisory28122011.pdf

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653963
reference_id	653963
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=653963

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=771149
reference_id	771149
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=771149

reference_url

http://www.ocert.org/advisories/ocert-2011-003.html

reference_id

CVE-2011-4885;OSVDB-78115

reference_type

exploit

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.ocert.org/advisories/ocert-2011-003.html

reference_url	https://security.gentoo.org/glsa/201203-05
reference_id	GLSA-201203-05
reference_type
scores
url	https://security.gentoo.org/glsa/201203-05

fixed_packages

url	pkg:deb/debian/ruby-rack@1.4.0-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.4.0-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.4.0-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2011-5036, GHSA-v6j3-7jrw-hq2p, OSV-78121

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-acqj-mqdw-tfe8

url VCID-dkjq-6mtr-yfgb

vulnerability_id VCID-dkjq-6mtr-yfgb

summary

Rack ReDoS Vulnerability in HTTP Accept Headers Parsing
### Summary

A Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS).

### Details

The fix for https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f was not applied to the main branch and thus while the issue was fixed for the Rack v3.0 release series, it was not fixed in the v3.1 release series until v3.1.5.

references

reference_url

https://advisory.dw1.io/61

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://advisory.dw1.io/61

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-39316

reference_id

reference_type

scores

value	0.00833
scoring_system	epss
scoring_elements	0.749
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-39316

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:50:23Z/

url

https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058

reference_url

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:50:23Z/

url

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

reference_url

https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:50:23Z/

url

https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.yml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-39316

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-39316

reference_url

https://github.com/advisories/GHSA-cj83-2ww7-mvq7

reference_id

GHSA-cj83-2ww7-mvq7

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-cj83-2ww7-mvq7

fixed_packages

url	pkg:deb/debian/ruby-rack@0?distro=trixie
purl	pkg:deb/debian/ruby-rack@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@0%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2024-39316, GHSA-cj83-2ww7-mvq7

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dkjq-6mtr-yfgb

url VCID-dzhg-3hy9-w3gv

vulnerability_id VCID-dzhg-3hy9-w3gv

summary rack: Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61771

reference_id

reference_type

scores

value	0.00107
scoring_system	epss
scoring_elements	0.2864
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61771

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_url

https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61771

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61771

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
reference_id	1117628
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402175
reference_id	2402175
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402175

reference_url

https://github.com/advisories/GHSA-w9pc-fmgc-vxvw

reference_id

GHSA-w9pc-fmgc-vxvw

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-w9pc-fmgc-vxvw

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://access.redhat.com/errata/RHSA-2025:21696
reference_id	RHSA-2025:21696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21696

reference_url	https://usn.ubuntu.com/7960-1/
reference_id	USN-7960-1
reference_type
scores
url	https://usn.ubuntu.com/7960-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-61771, GHSA-w9pc-fmgc-vxvw

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dzhg-3hy9-w3gv

url VCID-f5ev-kfux-n7hj

vulnerability_id VCID-f5ev-kfux-n7hj

summary

Denial of Service Vulnerability in Rack Content-Disposition parsing
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44571.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact

Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    2-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.0 series
    2-1-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.1 series
    2-2-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 2.2 series
    3-0-Fix-ReDoS-vulnerability-in-multipart-parser - Patch for 3.0 series

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-44571

reference_id

reference_type

scores

value	0.02825
scoring_system	epss
scoring_elements	0.86412
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-44571

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-44571

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id	1029832
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164714
reference_id	2164714
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164714

reference_url	https://github.com/advisories/GHSA-93pm-5p5f-3ghx
reference_id	GHSA-93pm-5p5f-3ghx
reference_type
scores
url	https://github.com/advisories/GHSA-93pm-5p5f-3ghx

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/5910-1/
reference_id	USN-5910-1
reference_type
scores
url	https://usn.ubuntu.com/5910-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-3%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f5ev-kfux-n7hj

url VCID-f6u2-fhux-43f3

vulnerability_id VCID-f6u2-fhux-43f3

summary rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

references

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-27111

reference_id

reference_type

scores

value	0.00865
scoring_system	epss
scoring_elements	0.75428
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-27111

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53

reference_url

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53

reference_url

https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b

reference_url

https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3

reference_url

https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml

reference_url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27111

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27111

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
reference_id	1099546
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2349810
reference_id	2349810
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2349810

reference_url	https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
reference_id	GHSA-8cgq-6mh2-7j6v
reference_type
scores
url	https://github.com/advisories/GHSA-8cgq-6mh2-7j6v

reference_url	https://usn.ubuntu.com/7366-1/
reference_id	USN-7366-1
reference_type
scores
url	https://usn.ubuntu.com/7366-1/

reference_url	https://usn.ubuntu.com/7366-2/
reference_id	USN-7366-2
reference_type
scores
url	https://usn.ubuntu.com/7366-2/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u3%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.12-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-27111, GHSA-8cgq-6mh2-7j6v

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-f6u2-fhux-43f3

url VCID-h44h-uxra-83cs

vulnerability_id VCID-h44h-uxra-83cs

summary

Denial of service via header parsing in Rack
There is a possible denial of service vulnerability in the Range header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44570.

Versions Affected: >= 1.5.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.2, 3.0.0.1
Impact

Carefully crafted input can cause the Range header parsing component in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that deal with Range requests (such as streaming applications, or applications that serve files) may be impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    2-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.0 series
    2-1-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.1 series
    2-2-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 2.2 series
    3-0-Fix-ReDoS-in-Rack-Utils.get_byte_ranges.patch - Patch for 3.0 series

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44570.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44570.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-44570

reference_id

reference_type

scores

value	0.03121
scoring_system	epss
scoring_elements	0.87067
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-44570-possible-denial-of-service-vulnerability-in-racks-range-header-parsing/82125

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44570.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44570.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-44570

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-44570

reference_url

https://security.netapp.com/advisory/ntap-20231208-0010

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0010

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832
reference_id	1029832
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2164719
reference_id	2164719
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2164719

reference_url	https://github.com/advisories/GHSA-65f5-mfpf-vfhj
reference_id	GHSA-65f5-mfpf-vfhj
reference_type
scores
url	https://github.com/advisories/GHSA-65f5-mfpf-vfhj

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/5910-1/
reference_id	USN-5910-1
reference_type
scores
url	https://usn.ubuntu.com/5910-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-3%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-44570, GHSA-65f5-mfpf-vfhj, GMS-2023-64

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h44h-uxra-83cs

url VCID-h6mf-a3pd-d3hb

vulnerability_id VCID-h6mf-a3pd-d3hb

summary

Rack rubygems receiving excessively long lines triggers out-of-memory error
multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet.

references

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_url

http://rack.github.com

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://rack.github.com

reference_url	http://rack.github.com/
reference_id
reference_type
scores
url	http://rack.github.com/

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2013-0183

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0183.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0183.json

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2013-0183

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-0183

reference_id

reference_type

scores

value	0.01824
scoring_system	epss
scoring_elements	0.83198
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-0183

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=895282

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=895282

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0183
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0183

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/548b9af2dc0059f4c0c19728624448d84de450ff

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/548b9af2dc0059f4c0c19728624448d84de450ff

reference_url

https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/f95113402b7239f225282806673e1b6424522b18

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2013-0183.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2013-0183.yml

reference_url

https://groups.google.com/forum/#%21topic/rack-devel/7ZKPNAjgRSs

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#%21topic/rack-devel/7ZKPNAjgRSs

reference_url

https://groups.google.com/forum/#%21topic/rack-devel/-MWPHDeGWtI

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#%21topic/rack-devel/-MWPHDeGWtI

reference_url

https://groups.google.com/forum/#!topic/rack-devel/7ZKPNAjgRSs

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rack-devel/7ZKPNAjgRSs

reference_url

https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/rack-devel/-MWPHDeGWtI

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2013-0183

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2013-0183

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-3pxh-h8hw-mj8w

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440
reference_id	698440
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440

reference_url

reference_id

GHSA-3pxh-h8hw-mj8w

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-3pxh-h8hw-mj8w

reference_url	https://security.gentoo.org/glsa/201405-10
reference_id	GLSA-201405-10
reference_type
scores
url	https://security.gentoo.org/glsa/201405-10

fixed_packages

url	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.4.1-2.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2013-0183, GHSA-3pxh-h8hw-mj8w, OSV-89320

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-h6mf-a3pd-d3hb

url VCID-juuh-9psh-yyar

vulnerability_id VCID-juuh-9psh-yyar

summary rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-61770

reference_id

reference_type

scores

value	0.00266
scoring_system	epss
scoring_elements	0.5021
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-61770

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_url

https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61770

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61770

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id	1117627
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402174
reference_id	2402174
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402174

reference_url

https://github.com/advisories/GHSA-p543-xpfm-54cp

reference_id

GHSA-p543-xpfm-54cp

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-p543-xpfm-54cp

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://access.redhat.com/errata/RHSA-2025:21696
reference_id	RHSA-2025:21696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21696

reference_url	https://usn.ubuntu.com/7960-1/
reference_id	USN-7960-1
reference_type
scores
url	https://usn.ubuntu.com/7960-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1~deb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.18-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.18-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-61770, GHSA-p543-xpfm-54cp

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-juuh-9psh-yyar

url VCID-k4w7-sm5v-yqgb

vulnerability_id VCID-k4w7-sm5v-yqgb

summary rack: Rack Session Reuse Vulnerability

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32441.json

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-32441.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-32441

reference_id

reference_type

scores

value	0.00096
scoring_system	epss
scoring_elements	0.2651
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-32441

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32441
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-32441

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270

reference_url

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:02:00Z/

url

https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270

reference_url

https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:02:00Z/

url

https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d

reference_url

https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:02:00Z/

url

https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g

reference_url

https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3
scoring_elements

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-32441

reference_id

reference_type

scores

value	4.2
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-32441

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2364965
reference_id	2364965
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2364965

reference_url	https://github.com/advisories/GHSA-vpfw-47h7-xj4g
reference_id	GHSA-vpfw-47h7-xj4g
reference_type
scores
url	https://github.com/advisories/GHSA-vpfw-47h7-xj4g

reference_url	https://usn.ubuntu.com/7507-1/
reference_id	USN-7507-1
reference_type
scores
url	https://usn.ubuntu.com/7507-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.0.8-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.0.8-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.0.8-2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-32441, GHSA-vpfw-47h7-xj4g

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k4w7-sm5v-yqgb

url VCID-mac4-2zg3-q3dg

vulnerability_id VCID-mac4-2zg3-q3dg

summary

Possible Information Leak / Session Hijack Vulnerability in Rack
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.

The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.

### Impact

The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.

## Releases

The 1.6.12 and 2.0.8 releases are available at the normal locations.

### Workarounds

There are no known workarounds.

### Patches

To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 1-6-session-timing-attack.patch - Patch for 1.6 series
* 2-0-session-timing-attack.patch - Patch for 2.6 series

### Credits

Thanks Will Leinweber for reporting this!

references

reference_url

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-security-announce/2020-02/msg00016.html

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2019-16782.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2019-16782

reference_id

reference_type

scores

value	0.00892
scoring_system	epss
scoring_elements	0.75899
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2019-16782

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16782

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.6
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38

reference_url

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/7fecaee81f59926b6e1913511c90650e76673b38

reference_url

https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3
scoring_elements

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/security/advisories/GHSA-hrqr-hxpp-chr3

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2019-16782.yml

reference_url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX

reference_url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HZXMWILCICQLA2BYSP6I2CRMUG53YBLX

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2019-16782

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2019-16782

reference_url

http://www.openwall.com/lists/oss-security/2019/12/18/2

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2019/12/18/2

reference_url

http://www.openwall.com/lists/oss-security/2019/12/18/3

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2019/12/18/3

reference_url

http://www.openwall.com/lists/oss-security/2019/12/19/3

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2019/12/19/3

reference_url

http://www.openwall.com/lists/oss-security/2020/04/08/1

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2020/04/08/1

reference_url

http://www.openwall.com/lists/oss-security/2020/04/09/2

reference_id

reference_type

scores

value	6.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.openwall.com/lists/oss-security/2020/04/09/2

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1789100
reference_id	1789100
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1789100

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983
reference_id	946983
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=946983

reference_url

https://github.com/advisories/GHSA-hrqr-hxpp-chr3

reference_id

GHSA-hrqr-hxpp-chr3

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-hrqr-hxpp-chr3

reference_url	https://access.redhat.com/errata/RHSA-2020:2480
reference_id	RHSA-2020:2480
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:2480

reference_url	https://access.redhat.com/errata/RHSA-2020:4366
reference_id	RHSA-2020:4366
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:4366

reference_url	https://access.redhat.com/errata/RHSA-2021:1313
reference_id	RHSA-2021:1313
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2021:1313

reference_url	https://usn.ubuntu.com/USN-5253-1/
reference_id	USN-USN-5253-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5253-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.1-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.1-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.1-2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2019-16782, GHSA-hrqr-hxpp-chr3

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-mac4-2zg3-q3dg

url VCID-n3cc-pvr9-4bd5

vulnerability_id VCID-n3cc-pvr9-4bd5

summary

Possible Denial of Service Vulnerability in Rack's header parsing
There is a denial of service vulnerability in the header parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27539.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.2.6.4, 3.0.6.1

# Impact
Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted.

# Workarounds
Setting Regexp.timeout in Ruby 3.2 is a possible workaround.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-27539

reference_id

reference_type

scores

value	0.00364
scoring_system	epss
scoring_elements	0.58717
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-27539

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c

reference_url

https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml

reference_url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27539

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27539

reference_url

https://security.netapp.com/advisory/ntap-20231208-0016

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0016

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/advisories/GHSA-c6qg-cjj8-47qp

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
reference_id	1033264
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2179649
reference_id	2179649
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2179649

reference_url

reference_id

GHSA-c6qg-cjj8-47qp

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://github.com/advisories/GHSA-c6qg-cjj8-47qp

reference_url

https://security.netapp.com/advisory/ntap-20231208-0016/

reference_id

ntap-20231208-0016

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/

url

https://security.netapp.com/advisory/ntap-20231208-0016/

reference_url	https://access.redhat.com/errata/RHSA-2023:1953
reference_id	RHSA-2023:1953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1953

reference_url	https://access.redhat.com/errata/RHSA-2023:1961
reference_id	RHSA-2023:1961
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1961

reference_url	https://access.redhat.com/errata/RHSA-2023:1981
reference_id	RHSA-2023:1981
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1981

reference_url	https://access.redhat.com/errata/RHSA-2023:2652
reference_id	RHSA-2023:2652
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2652

reference_url	https://access.redhat.com/errata/RHSA-2023:3082
reference_id	RHSA-2023:3082
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3082

reference_url	https://access.redhat.com/errata/RHSA-2023:3403
reference_id	RHSA-2023:3403
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3403

reference_url	https://access.redhat.com/errata/RHSA-2023:3495
reference_id	RHSA-2023:3495
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3495

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/6689-1/
reference_id	USN-6689-1
reference_type
scores
url	https://usn.ubuntu.com/6689-1/

reference_url	https://usn.ubuntu.com/6905-1/
reference_id	USN-6905-1
reference_type
scores
url	https://usn.ubuntu.com/6905-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-n3cc-pvr9-4bd5

url VCID-nqds-u1fk-y7ch

vulnerability_id VCID-nqds-u1fk-y7ch

summary rubygem-rack: Unbounded-Parameter DoS in Rack::QueryParser

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-46727.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-46727.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-46727

reference_id

reference_type

scores

value	0.00808
scoring_system	epss
scoring_elements	0.74504
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-46727

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46727
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46727

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/

url

https://github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712

reference_url

https://github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/

url

https://github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3

reference_url

https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/

url

https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74

reference_url

https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/

url

https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-46727.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-46727.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-46727

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-46727

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104927
reference_id	1104927
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104927

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2364966
reference_id	2364966
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2364966

reference_url	https://github.com/advisories/GHSA-gjh7-p2fx-99vx
reference_id	GHSA-gjh7-p2fx-99vx
reference_type
scores
url	https://github.com/advisories/GHSA-gjh7-p2fx-99vx

reference_url	https://access.redhat.com/errata/RHSA-2025:7604
reference_id	RHSA-2025:7604
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:7604

reference_url	https://access.redhat.com/errata/RHSA-2025:7605
reference_id	RHSA-2025:7605
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:7605

reference_url	https://access.redhat.com/errata/RHSA-2025:8254
reference_id	RHSA-2025:8254
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8254

reference_url	https://access.redhat.com/errata/RHSA-2025:8256
reference_id	RHSA-2025:8256
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8256

reference_url	https://access.redhat.com/errata/RHSA-2025:8279
reference_id	RHSA-2025:8279
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8279

reference_url	https://access.redhat.com/errata/RHSA-2025:8288
reference_id	RHSA-2025:8288
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8288

reference_url	https://access.redhat.com/errata/RHSA-2025:8289
reference_id	RHSA-2025:8289
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8289

reference_url	https://access.redhat.com/errata/RHSA-2025:8290
reference_id	RHSA-2025:8290
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8290

reference_url	https://access.redhat.com/errata/RHSA-2025:8291
reference_id	RHSA-2025:8291
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8291

reference_url	https://access.redhat.com/errata/RHSA-2025:8319
reference_id	RHSA-2025:8319
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8319

reference_url	https://access.redhat.com/errata/RHSA-2025:8322
reference_id	RHSA-2025:8322
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8322

reference_url	https://access.redhat.com/errata/RHSA-2025:8323
reference_id	RHSA-2025:8323
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:8323

reference_url	https://access.redhat.com/errata/RHSA-2025:9838
reference_id	RHSA-2025:9838
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:9838

reference_url	https://usn.ubuntu.com/7507-1/
reference_id	USN-7507-1
reference_type
scores
url	https://usn.ubuntu.com/7507-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.16-0.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.16-0.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.16-0.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-46727, GHSA-gjh7-p2fx-99vx

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-nqds-u1fk-y7ch

url VCID-rg39-bur5-67e3

vulnerability_id VCID-rg39-bur5-67e3

summary

Rack vulnerable to Denial of Service via large parameter depth request
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.

references

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.html

reference_url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.html

reference_url

http://lists.opensuse.org/opensuse-updates/2015-07/msg00040.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2015-07/msg00040.html

reference_url

http://lists.opensuse.org/opensuse-updates/2015-07/msg00043.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2015-07/msg00043.html

reference_url

http://lists.opensuse.org/opensuse-updates/2015-07/msg00044.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2015-07/msg00044.html

reference_url

http://openwall.com/lists/oss-security/2015/06/16/14

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://openwall.com/lists/oss-security/2015/06/16/14

reference_url

http://rhn.redhat.com/errata/RHSA-2015-2290.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2015-2290.html

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3225.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2015-3225.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2015-3225

reference_id

reference_type

scores

value	0.13251
scoring_system	epss
scoring_elements	0.94266
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2015-3225

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3225

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/master/HISTORY.md

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/master/HISTORY.md

reference_url	https://github.com/rack/rack/commits/1.4.6
reference_id
reference_type
scores
url	https://github.com/rack/rack/commits/1.4.6

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2015-3225.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2015-3225.yml

reference_url

https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!topic/ruby-security-ann/gcUbICUmKMc

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2015-3225

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2015-3225

reference_url

http://www.debian.org/security/2015/dsa-3322

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://www.debian.org/security/2015/dsa-3322

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1232292
reference_id	1232292
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1232292

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789311
reference_id	789311
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=789311

reference_url

https://github.com/advisories/GHSA-rgr4-9jh5-j4j6

reference_id

GHSA-rgr4-9jh5-j4j6

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-rgr4-9jh5-j4j6

reference_url	https://access.redhat.com/errata/RHSA-2015:2290
reference_id	RHSA-2015:2290
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2015:2290

fixed_packages

url	pkg:deb/debian/ruby-rack@1.5.2-4?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.5.2-4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.5.2-4%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2015-3225, GHSA-rgr4-9jh5-j4j6

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rg39-bur5-67e3

url VCID-rvwc-cy1n-yffg

vulnerability_id VCID-rvwc-cy1n-yffg

summary rubygem-rack: Possible Log Injection in Rack::CommonLogger

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25184.json

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25184.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-25184

reference_id

reference_type

scores

value	0.01345
scoring_system	epss
scoring_elements	0.80354
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-25184

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25184
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25184

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	4.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	5.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e

reference_url

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	5.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/

url

https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e

reference_url

https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3
scoring_elements

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	5.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/

url

https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.yml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	5.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.yml

reference_url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	5.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-25184

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N

value	5.7
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-25184

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257
reference_id	1098257
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2345301
reference_id	2345301
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2345301

reference_url	https://github.com/advisories/GHSA-7g2v-jj9q-g3rg
reference_id	GHSA-7g2v-jj9q-g3rg
reference_type
scores
url	https://github.com/advisories/GHSA-7g2v-jj9q-g3rg

reference_url	https://access.redhat.com/errata/RHSA-2025:1985
reference_id	RHSA-2025:1985
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:1985

reference_url	https://access.redhat.com/errata/RHSA-2025:7085
reference_id	RHSA-2025:7085
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:7085

reference_url	https://usn.ubuntu.com/7366-1/
reference_id	USN-7366-1
reference_type
scores
url	https://usn.ubuntu.com/7366-1/

reference_url	https://usn.ubuntu.com/7366-2/
reference_id	USN-7366-2
reference_type
scores
url	https://usn.ubuntu.com/7366-2/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u3%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.12-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-25184, GHSA-7g2v-jj9q-g3rg

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-rvwc-cy1n-yffg

url VCID-sfcw-t1ch-b7dr

vulnerability_id VCID-sfcw-t1ch-b7dr

summary

Rack arbitrary code execution via timing attack
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving an HMAC comparison function that does not run in constant time.

references

reference_url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://lists.opensuse.org/opensuse-updates/2013-03/msg00048.html

reference_url	http://rack.github.com/
reference_id
reference_type
scores
url	http://rack.github.com/

reference_url

http://rhn.redhat.com/errata/RHSA-2013-0686.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

http://rhn.redhat.com/errata/RHSA-2013-0686.html

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0263.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2013-0263.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2013-0263

reference_id

reference_type

scores

value	0.16071
scoring_system	epss
scoring_elements	0.94896
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2013-0263

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/codahale/f9f3781f7b54985bee94

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0263

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://gist.github.com/codahale/f9f3781f7b54985bee94

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/0cd7e9aa397f8ebb3b8481d67dbac8b4863a7f07

reference_url

https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/9a81b961457805f6d1a5c275d053068440421e11

reference_url

https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/d/msg/rack-devel/xKrHVWeNvDM/4ZGA576CnK4J

reference_url

https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/bf937jPZxJM/1s6x95vIhmAJ

reference_url

https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/hz-liLb9fKE/8jvVWU6xYiYJ

reference_url

https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/mZsuRonD7G8/DpZIOmMLbOgJ

reference_url

https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/RnQxm6i13C4/xfakH81yWvgJ

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2013-0263

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2013-0263

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-xc85-32mf-xpv8

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700226
reference_id	700226
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=700226

reference_url

reference_id

GHSA-xc85-32mf-xpv8

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-xc85-32mf-xpv8

reference_url	https://security.gentoo.org/glsa/201405-10
reference_id	GLSA-201405-10
reference_type
scores
url	https://security.gentoo.org/glsa/201405-10

reference_url	https://access.redhat.com/errata/RHSA-2013:0686
reference_id	RHSA-2013:0686
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2013:0686

fixed_packages

url	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.4.1-2.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2013-0263, GHSA-xc85-32mf-xpv8, OSV-89939

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-sfcw-t1ch-b7dr

url VCID-tjh9-vfdw-7yen

vulnerability_id VCID-tjh9-vfdw-7yen

summary rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-59830

reference_id

reference_type

scores

value	0.00127
scoring_system	epss
scoring_elements	0.31734
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-59830

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/

url

https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71

reference_url

https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/

url

https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59830

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59830

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431
reference_id	1116431
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2398167
reference_id	2398167
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2398167

reference_url

https://github.com/advisories/GHSA-625h-95r8-8xpm

reference_id

GHSA-625h-95r8-8xpm

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-625h-95r8-8xpm

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19832
reference_id	RHSA-2025:19832
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19832

reference_url	https://access.redhat.com/errata/RHSA-2025:19855
reference_id	RHSA-2025:19855
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19855

reference_url	https://access.redhat.com/errata/RHSA-2025:19856
reference_id	RHSA-2025:19856
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19856

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://usn.ubuntu.com/7784-1/
reference_id	USN-7784-1
reference_type
scores
url	https://usn.ubuntu.com/7784-1/

reference_url	https://usn.ubuntu.com/7960-1/
reference_id	USN-7960-1
reference_type
scores
url	https://usn.ubuntu.com/7960-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u4?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u4%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.20-0%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.20-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.0.8-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.0.8-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.0.8-2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-59830, GHSA-625h-95r8-8xpm

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-tjh9-vfdw-7yen

url VCID-ts7r-dady-tua3

vulnerability_id VCID-ts7r-dady-tua3

summary

Rack vulnerable to REDoS
`lib/rack/multipart.rb` in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.

references

reference_url	http://rack.github.com/
reference_id
reference_type
scores
url	http://rack.github.com/

reference_url	http://rhn.redhat.com/errata/RHSA-2013-0544.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2013-0544.html

reference_url	http://rhn.redhat.com/errata/RHSA-2013-0548.html
reference_id
reference_type
scores
url	http://rhn.redhat.com/errata/RHSA-2013-0548.html

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2012-6109

reference_url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-6109.json
reference_id
reference_type
scores
url	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2012-6109.json

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://access.redhat.com/security/cve/CVE-2012-6109

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2012-6109

reference_id

reference_type

scores

value	0.00828
scoring_system	epss
scoring_elements	0.74813
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2012-6109

reference_url

https://bugzilla.redhat.com/show_bug.cgi?id=895277

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://bugzilla.redhat.com/show_bug.cgi?id=895277

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6109
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6109

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/master/README.rdoc

reference_url

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/blob/master/README.rdoc

reference_url

https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/c9f65df37a151821eb88ddd1dc404b83e52c52d5

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2012-6109.yml

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2012-6109.yml

reference_url

https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#%21msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ

reference_url

https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/forum/#!msg/rack-devel/1w4_fWEgTdI/XAkSNHjtdTsJ

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2012-6109

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2012-6109

reference_url

https://rhn.redhat.com/errata/RHSA-2013-0544.html

reference_id

reference_type

scores

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://rhn.redhat.com/errata/RHSA-2013-0544.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440
reference_id	698440
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=698440

reference_url

https://github.com/advisories/GHSA-h77x-m5q8-c29h

reference_id

GHSA-h77x-m5q8-c29h

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-h77x-m5q8-c29h

reference_url	https://security.gentoo.org/glsa/201405-10
reference_id	GLSA-201405-10
reference_type
scores
url	https://security.gentoo.org/glsa/201405-10

fixed_packages

url	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@1.4.1-2.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@1.4.1-2.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2012-6109, GHSA-h77x-m5q8-c29h, OSV-89317

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ts7r-dady-tua3

url VCID-v2nc-35z6-2kf6

vulnerability_id VCID-v2nc-35z6-2kf6

summary rack: rubygem-rack: Rack Content-Disposition Denial of Service

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2025-49007

reference_id

reference_type

scores

value	0.00569
scoring_system	epss
scoring_elements	0.68866
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2025-49007

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f

reference_url

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/

url

https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f

reference_url

https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/

url

https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901

reference_url

https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/

url

https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-49007

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-49007

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
reference_id	1107363
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2370346
reference_id	2370346
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2370346

reference_url	https://github.com/advisories/GHSA-47m2-26rw-j2jw
reference_id	GHSA-47m2-26rw-j2jw
reference_type
scores
url	https://github.com/advisories/GHSA-47m2-26rw-j2jw

fixed_packages

url	pkg:deb/debian/ruby-rack@0?distro=trixie
purl	pkg:deb/debian/ruby-rack@0?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@0%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.1.16-0.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.1.16-0.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.16-0.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2025-49007, GHSA-47m2-26rw-j2jw

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-v2nc-35z6-2kf6

url VCID-xrut-zyv4-e3bf

vulnerability_id VCID-xrut-zyv4-e3bf

summary

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
### Summary

```ruby
module Rack
  class MediaType
    SPLIT_PATTERN = %r{\s*[;,]\s*}
```
The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.

### PoC

A simple HTTP request with lots of blank characters in the content-type header:

```ruby
request["Content-Type"] = (" " * 50_000) + "a,"
```

### Impact

It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-25126.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-25126.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2024-25126

reference_id

reference_type

scores

value	0.0045
scoring_system	epss
scoring_elements	0.63937
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2024-25126

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146

reference_url

https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://discuss.rubyonrails.org/t/denial-of-service-vulnerability-in-rack-content-type-parsing/84941

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462

reference_url

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://github.com/rack/rack/commit/6efb2ceea003c4b195815a614e00438cbd543462

reference_url

https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://github.com/rack/rack/commit/d9c163a443b8cadf4711d84bd2c58cb9ef89cf49

reference_url

https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://github.com/rack/rack/security/advisories/GHSA-22f2-v57c-j9cx

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-25126.yml

reference_url

https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://lists.debian.org/debian-lts-announce/2024/04/msg00022.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-25126

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-25126

reference_url

https://security.netapp.com/advisory/ntap-20240510-0005

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20240510-0005

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id	1064516
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2265593
reference_id	2265593
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2265593

reference_url

https://github.com/advisories/GHSA-22f2-v57c-j9cx

reference_id

GHSA-22f2-v57c-j9cx

reference_type

scores

value	MODERATE
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-22f2-v57c-j9cx

reference_url

https://security.netapp.com/advisory/ntap-20240510-0005/

reference_id

ntap-20240510-0005

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:P/A:Y/T:P/P:M/B:A/M:M/D:T/2024-08-12T17:41:06Z/

url

https://security.netapp.com/advisory/ntap-20240510-0005/

reference_url	https://access.redhat.com/errata/RHSA-2024:10806
reference_id	RHSA-2024:10806
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10806

reference_url	https://access.redhat.com/errata/RHSA-2024:1841
reference_id	RHSA-2024:1841
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1841

reference_url	https://access.redhat.com/errata/RHSA-2024:1846
reference_id	RHSA-2024:1846
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1846

reference_url	https://access.redhat.com/errata/RHSA-2024:2007
reference_id	RHSA-2024:2007
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2007

reference_url	https://access.redhat.com/errata/RHSA-2024:2113
reference_id	RHSA-2024:2113
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2113

reference_url	https://access.redhat.com/errata/RHSA-2024:2581
reference_id	RHSA-2024:2581
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2581

reference_url	https://access.redhat.com/errata/RHSA-2024:2584
reference_id	RHSA-2024:2584
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2584

reference_url	https://access.redhat.com/errata/RHSA-2024:2953
reference_id	RHSA-2024:2953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2953

reference_url	https://access.redhat.com/errata/RHSA-2024:3431
reference_id	RHSA-2024:3431
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3431

reference_url	https://usn.ubuntu.com/6837-1/
reference_id	USN-6837-1
reference_type
scores
url	https://usn.ubuntu.com/6837-1/

reference_url	https://usn.ubuntu.com/6837-2/
reference_id	USN-6837-2
reference_type
scores
url	https://usn.ubuntu.com/6837-2/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1%2Bdeb12u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%252Bdeb12u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.7-1.1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.7-1.1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.7-1.1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2024-25126, GHSA-22f2-v57c-j9cx

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xrut-zyv4-e3bf

url VCID-y4e1-mh3x-gkep

vulnerability_id VCID-y4e1-mh3x-gkep

summary

Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8184.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2020-8184.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2020-8184

reference_id

reference_type

scores

value	0.00811
scoring_system	epss
scoring_elements	0.74534
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2020-8184

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8184

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/1f5763de6a9fe515ff84992b343d63c88104654c

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8184.yml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2020-8184.yml

reference_url

https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/rubyonrails-security/c/OWtmozPH9Ak

reference_url

https://hackerone.com/reports/895727

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/895727

reference_url

https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2020/07/msg00006.html

reference_url

https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2023/01/msg00038.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2020-8184

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2020-8184

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-j6w9-fv6q-3q52

reference_url	https://usn.ubuntu.com/4561-1/
reference_id
reference_type
scores
url	https://usn.ubuntu.com/4561-1/

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=1849141
reference_id	1849141
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=1849141

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963477
reference_id	963477
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=963477

reference_url

reference_id

GHSA-j6w9-fv6q-3q52

reference_type

scores

value	HIGH
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-j6w9-fv6q-3q52

reference_url	https://access.redhat.com/errata/RHSA-2020:4366
reference_id	RHSA-2020:4366
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2020:4366

reference_url	https://usn.ubuntu.com/4561-2/
reference_id	USN-4561-2
reference_type
scores
url	https://usn.ubuntu.com/4561-2/

reference_url	https://usn.ubuntu.com/USN-5253-1/
reference_id	USN-USN-5253-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5253-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.1-6?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.1-6?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.1-6%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2020-8184, GHSA-j6w9-fv6q-3q52

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-y4e1-mh3x-gkep

url VCID-ya57-9vg9-xka9

vulnerability_id VCID-ya57-9vg9-xka9

summary

Rack has possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27530.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27530.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2023-27530

reference_id

reference_type

scores

value	0.01982
scoring_system	epss
scoring_elements	0.83865
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml

reference_url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2023-27530

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2023-27530

reference_url

https://security.netapp.com/advisory/ntap-20231208-0015

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0015

reference_url

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://security.netapp.com/advisory/ntap-20231208-0015/

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032803
reference_id	1032803
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032803

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2176477
reference_id	2176477
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2176477

reference_url	https://github.com/advisories/GHSA-3h57-hmj3-gj3p
reference_id	GHSA-3h57-hmj3-gj3p
reference_type
scores
url	https://github.com/advisories/GHSA-3h57-hmj3-gj3p

reference_url

reference_id

ntap-20231208-0015

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-10-15T17:29:06Z/

url

https://security.netapp.com/advisory/ntap-20231208-0015/

reference_url	https://access.redhat.com/errata/RHSA-2023:1961
reference_id	RHSA-2023:1961
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1961

reference_url	https://access.redhat.com/errata/RHSA-2023:1981
reference_id	RHSA-2023:1981
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1981

reference_url	https://access.redhat.com/errata/RHSA-2023:2652
reference_id	RHSA-2023:2652
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:2652

reference_url	https://access.redhat.com/errata/RHSA-2023:3082
reference_id	RHSA-2023:3082
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3082

reference_url	https://access.redhat.com/errata/RHSA-2023:3403
reference_id	RHSA-2023:3403
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:3403

reference_url	https://access.redhat.com/errata/RHSA-2023:6818
reference_id	RHSA-2023:6818
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:6818

reference_url	https://usn.ubuntu.com/6837-1/
reference_id	USN-6837-1
reference_type
scores
url	https://usn.ubuntu.com/6837-1/

reference_url	https://usn.ubuntu.com/6905-1/
reference_id	USN-6905-1
reference_type
scores
url	https://usn.ubuntu.com/6905-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.6.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.6.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2023-27530, GHSA-3h57-hmj3-gj3p, GMS-2023-663

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-ya57-9vg9-xka9

url VCID-yu1h-8nr1-vfhu

vulnerability_id VCID-yu1h-8nr1-vfhu

summary rubygem-rack: crafted requests can cause shell escape sequences

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-30123.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-30123

reference_id

reference_type

scores

value	0.02206
scoring_system	epss
scoring_elements	0.84713
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://discuss.rubyonrails.org/t/cve-2022-30123-possible-shell-escape-sequence-injection-vulnerability-in-rack/80728

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	9.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack/commit/b426cc224908ec6ed6eb8729325392b048215d88

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-30123.yml

reference_url

https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3
scoring_elements

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://groups.google.com/g/ruby-security-ann/c/LWB10kWzag8

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-30123

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-30123

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0011

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://security.netapp.com/advisory/ntap-20231208-0011

reference_url	https://security.netapp.com/advisory/ntap-20231208-0011/
reference_id
reference_type
scores
url	https://security.netapp.com/advisory/ntap-20231208-0011/

reference_url

reference_id

reference_type

scores

value	10.0
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

value	CRITICAL
scoring_system	generic_textual
scoring_elements

url

https://github.com/advisories/GHSA-wq4h-7r42-5hrr

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2099524
reference_id	2099524
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2099524

reference_url

reference_id

GHSA-wq4h-7r42-5hrr

reference_type

scores

value	CRITICAL
scoring_system	cvssv3.1_qr
scoring_elements

url

https://github.com/advisories/GHSA-wq4h-7r42-5hrr

reference_url	https://access.redhat.com/errata/RHSA-2022:7343
reference_id	RHSA-2022:7343
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2022:7343

reference_url	https://access.redhat.com/errata/RHSA-2023:0632
reference_id	RHSA-2023:0632
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:0632

reference_url	https://access.redhat.com/errata/RHSA-2023:1486
reference_id	RHSA-2023:1486
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2023:1486

reference_url	https://usn.ubuntu.com/5896-1/
reference_id	USN-5896-1
reference_type
scores
url	https://usn.ubuntu.com/5896-1/

reference_url	https://usn.ubuntu.com/7036-1/
reference_id	USN-7036-1
reference_type
scores
url	https://usn.ubuntu.com/7036-1/

reference_url	https://usn.ubuntu.com/USN-5253-1/
reference_id	USN-USN-5253-1
reference_type
scores
url	https://usn.ubuntu.com/USN-5253-1/

fixed_packages

url	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
purl	pkg:deb/debian/ruby-rack@2.2.4-1?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.4-1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie

url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-1pt2-23bn-7qev

vulnerability	VCID-21pz-m7dy-8bey

vulnerability	VCID-3bh7-vrvj-p3g1

vulnerability	VCID-6hht-91zy-fqdf

vulnerability	VCID-6t6w-vvzt-fqd9

vulnerability	VCID-7pey-8xge-1fbz

vulnerability	VCID-8rbg-wrmj-1bcu

vulnerability	VCID-dchf-rhvg-zycw

vulnerability	VCID-j3e9-y38h-xbbu

vulnerability	VCID-mftr-ma4j-mbhy

vulnerability	VCID-tzca-xm43-xugs

vulnerability	VCID-vch5-2deq-euaq

vulnerability	VCID-x316-jquh-63ek

resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie

url	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl	pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable	`false`
affected_by_vulnerabilities
resource_url	http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie

aliases CVE-2022-30123, GHSA-wq4h-7r42-5hrr

risk_score null

exploitability null

weighted_severity null

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-yu1h-8nr1-vfhu

url VCID-zbqp-syvz-8bb5

vulnerability_id VCID-zbqp-syvz-8bb5

summary

Denial of service via multipart parsing in Rack
There is a denial of service vulnerability in the multipart parsing component of Rack. This vulnerability has been assigned the CVE identifier CVE-2022-44572.

Versions Affected: >= 2.0.0 Not affected: None. Fixed Versions: 2.0.9.2, 2.1.4.2, 2.2.6.1, 3.0.0.1
Impact

Carefully crafted input can cause RFC2183 multipart boundary parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
Releases

The fixed releases are available at the normal locations.
Workarounds

There are no feasible workarounds for this issue.
Patches

To aid users who aren’t able to upgrade immediately we have provided patches for the two supported release series. They are in git-am format and consist of a single changeset.

    2-0-Forbid-control-characters-in-attributes.patch - Patch for 2.0 series
    2-1-Forbid-control-characters-in-attributes.patch - Patch for 2.1 series
    2-2-Forbid-control-characters-in-attributes.patch - Patch for 2.2 series
    3-0-Forbid-control-characters-in-attributes.patch - Patch for 3.0 series

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json

reference_url

https://api.first.org/data/v1/epss?cve=CVE-2022-44572

reference_id

reference_type

scores

value	0.00255
scoring_system	epss
scoring_elements	0.4897
published_at	2026-05-29T12:55:00Z

url

https://api.first.org/data/v1/epss?cve=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530

reference_url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539
reference_id
reference_type
scores
url	https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.9
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml

reference_url

https://hackerone.com/reports/1639882

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://hackerone.com/reports/1639882

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2022-44572

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2022-44572

reference_url

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url