| 0 |
| url |
VCID-3jru-u17n-tyg1 |
| vulnerability_id |
VCID-3jru-u17n-tyg1 |
| summary |
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2025-61780, GHSA-r657-rxjc-j557
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3jru-u17n-tyg1 |
|
| 1 |
| url |
VCID-52qe-dast-tkhu |
| vulnerability_id |
VCID-52qe-dast-tkhu |
| summary |
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series
Credits
-------
Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches! |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.4 |
| purl |
pkg:gem/rack@2.0.9.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 2 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 5 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 6 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 7 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 8 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 9 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.4 |
| purl |
pkg:gem/rack@2.1.4.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 2 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 5 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 6 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 7 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 8 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 9 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.4 |
|
| 2 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 2 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 5 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 6 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 7 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 8 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 9 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 3 |
|
|
| aliases |
CVE-2024-26146, GHSA-54rr-7fvw-6x8f
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-52qe-dast-tkhu |
|
| 2 |
| url |
VCID-7cef-z5qm-afd8 |
| vulnerability_id |
VCID-7cef-z5qm-afd8 |
| summary |
ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary
There is a denial of service vulnerability in the
Content-Disposition parsing component of Rack. This is very
similar to the previous security issue CVE-2022-44571.
### Details
Carefully crafted input can cause Content-Disposition header
parsing in Rack to take an unexpected amount of time, possibly
resulting in a denial of service attack vector. This header is
used typically used in multipart parsing. Any applications that
parse multipart posts using Rack (virtually all Rails applications)
are impacted.
### Credits
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
this to the Rails security team |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-49007, GHSA-47m2-26rw-j2jw
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7cef-z5qm-afd8 |
|
| 3 |
| url |
VCID-amfu-8d25-juhy |
| vulnerability_id |
VCID-amfu-8d25-juhy |
| summary |
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 5 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 6 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 7 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 8 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 9 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 10 |
| vulnerability |
VCID-hpw3-uw3x-mqgq |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-pydr-47y4-y3fu |
|
| 13 |
| vulnerability |
VCID-u1u4-7b3v-fue7 |
|
| 14 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 15 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 16 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
|
| aliases |
CVE-2025-59830, GHSA-625h-95r8-8xpm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-amfu-8d25-juhy |
|
| 4 |
| url |
VCID-bj83-rx84-v3g9 |
| vulnerability_id |
VCID-bj83-rx84-v3g9 |
| summary |
Rack has a Directory Traversal via Rack:Directory
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bj83-rx84-v3g9 |
|
| 5 |
| url |
VCID-bqpn-m2fh-9kab |
| vulnerability_id |
VCID-bqpn-m2fh-9kab |
| summary |
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.6.4 |
| purl |
pkg:gem/rack@2.2.6.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 6 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 7 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 8 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 9 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 10 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 11 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4 |
|
| 1 |
| url |
pkg:gem/rack@3.0.6.1 |
| purl |
pkg:gem/rack@3.0.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 5 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 6 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 7 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 8 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 9 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 10 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1 |
|
|
| aliases |
CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-bqpn-m2fh-9kab |
|
| 6 |
| url |
VCID-c9mc-7nts-cfgy |
| vulnerability_id |
VCID-c9mc-7nts-cfgy |
| summary |
Duplicate
This advisory duplicates another. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.5 |
| purl |
pkg:gem/rack@2.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.5 |
|
| 3 |
| url |
pkg:gem/rack@2.2.6.1 |
| purl |
pkg:gem/rack@2.2.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1 |
|
| 4 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 5 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 6 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 7 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 8 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 9 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 10 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 11 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44572, GHSA-rqv2-275x-2jq5, GMS-2023-66
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c9mc-7nts-cfgy |
|
| 7 |
| url |
VCID-dss4-6ptr-83av |
| vulnerability_id |
VCID-dss4-6ptr-83av |
| summary |
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-dss4-6ptr-83av |
|
| 8 |
| url |
VCID-e11g-k7zm-vkhu |
| vulnerability_id |
VCID-e11g-k7zm-vkhu |
| summary |
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-61919, GHSA-6xw4-3v39-52mm
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-e11g-k7zm-vkhu |
|
| 9 |
| url |
VCID-ebb6-b5tx-5bhf |
| vulnerability_id |
VCID-ebb6-b5tx-5bhf |
| summary |
Duplicate
This advisory duplicates another. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.6.1 |
| purl |
pkg:gem/rack@2.2.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 4 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 5 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 6 |
| vulnerability |
VCID-c9mc-7nts-cfgy |
|
| 7 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 8 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 9 |
| vulnerability |
VCID-ebb6-b5tx-5bhf |
|
| 10 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 11 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 12 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 13 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 14 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1 |
|
| 3 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-52qe-dast-tkhu |
|
| 2 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-bqpn-m2fh-9kab |
|
| 5 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 6 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 7 |
| vulnerability |
VCID-heu4-cd3d-73ck |
|
| 8 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 9 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 10 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 11 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-ebb6-b5tx-5bhf |
|
| 10 |
| url |
VCID-heu4-cd3d-73ck |
| vulnerability_id |
VCID-heu4-cd3d-73ck |
| summary |
Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Versions Affected: >= 1.3.0.
Not affected: < 1.3.0
Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.
Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series
Credits
-------
Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3jru-u17n-tyg1 |
|
| 1 |
| vulnerability |
VCID-7cef-z5qm-afd8 |
|
| 2 |
| vulnerability |
VCID-amfu-8d25-juhy |
|
| 3 |
| vulnerability |
VCID-bj83-rx84-v3g9 |
|
| 4 |
| vulnerability |
VCID-dss4-6ptr-83av |
|
| 5 |
| vulnerability |
VCID-e11g-k7zm-vkhu |
|
| 6 |
| vulnerability |
VCID-k8fr-zuyx-yyhg |
|
| 7 |
| vulnerability |
VCID-vk15-7qdb-xkh9 |
|
| 8 |
| vulnerability |
VCID-x373-rhh4-7khm |
|
| 9 |
| vulnerability |
VCID-xpa3-1n87-8ucv |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 1 |
|
|
| aliases |
CVE-2024-26141, GHSA-xj5v-6v4g-jfw6
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-heu4-cd3d-73ck |
|
| 11 |
| url |
VCID-k8fr-zuyx-yyhg |
| vulnerability_id |
VCID-k8fr-zuyx-yyhg |
| summary |
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-61772, GHSA-wpv5-97wm-hp9c
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fr-zuyx-yyhg |
|
| 12 |
| url |
VCID-vk15-7qdb-xkh9 |
| vulnerability_id |
VCID-vk15-7qdb-xkh9 |
| summary |
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary
`Rack::Sendfile` can be exploited by crafting input that
includes newline characters to manipulate log entries.
## Details
The `Rack::Sendfile` middleware logs unsanitized header values from
the `X-Sendfile-Type` header. An attacker can exploit this by
injecting escape sequences (such as newline characters) into the
header, resulting in log injection.
## Impact
This vulnerability can distort log files, obscure
attack traces, and complicate security auditing.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vk15-7qdb-xkh9 |
|
| 13 |
| url |
VCID-x373-rhh4-7khm |
| vulnerability_id |
VCID-x373-rhh4-7khm |
| summary |
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.
This results in a client-side XSS condition in directory listings generated by `Rack::Directory`. |
| references |
|
| fixed_packages |
|
| aliases |
CVE-2026-25500, GHSA-whrj-4476-wvmp
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-x373-rhh4-7khm |
|
| 14 |
| url |
VCID-xpa3-1n87-8ucv |
| vulnerability_id |
VCID-xpa3-1n87-8ucv |
| summary |
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-61770, GHSA-p543-xpfm-54cp
|
| risk_score |
null |
| exploitability |
null |
| weighted_severity |
null |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa3-1n87-8ucv |
|