Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rack@3.0.6.1
Typegem
Namespace
Namerack
Version3.0.6.1
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.21
Latest_non_vulnerable_version3.2.6
Affected_by_vulnerabilities
0
url VCID-13d1-uyw3-6bb6
vulnerability_id VCID-13d1-uyw3-6bb6
summary 
Rack has a Directory Traversal via Rack:Directory
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-22860
reference_id
reference_type
scores
0
value 0.00123
scoring_system epss
scoring_elements 0.31145
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-22860
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/
url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
reference_id 1128479
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
reference_id 2440737
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
reference_id CVE-2026-22860
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
reference_id CVE-2026-22860.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
9
reference_url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
reference_id GHSA-mxw3-3hh2-x2mh
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
reference_id GHSA-mxw3-3hh2-x2mh
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/
url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
11
reference_url https://usn.ubuntu.com/8066-1/
reference_id USN-8066-1
reference_type
scores
url https://usn.ubuntu.com/8066-1/
fixed_packages
0
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
1
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-13d1-uyw3-6bb6
1
url VCID-64cf-ysff-u7bt
vulnerability_id VCID-64cf-ysff-u7bt
summary 
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61771
reference_id
reference_type
scores
0
value 0.00107
scoring_system epss
scoring_elements 0.2865
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61771
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
5
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
6
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
reference_id 1117628
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
reference_id 2402175
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
reference_id CVE-2025-61771
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
reference_id CVE-2025-61771.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
11
reference_url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/
url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
13
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
14
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
15
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
16
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
17
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
18
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
19
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
20
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
21
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
22
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
23
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-kjyv-r8rk-rqd3
2
vulnerability VCID-q17h-k4dc-rka5
3
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
1
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-kjyv-r8rk-rqd3
2
vulnerability VCID-q17h-k4dc-rka5
3
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-64cf-ysff-u7bt
2
url VCID-7jqg-1whb-4kdw
vulnerability_id VCID-7jqg-1whb-4kdw
summary 
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61772
reference_id
reference_type
scores
0
value 0.00324
scoring_system epss
scoring_elements 0.55649
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61772
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
5
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
6
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
reference_id 2402200
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
reference_id CVE-2025-61772
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
reference_id CVE-2025-61772.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
11
reference_url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/
url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
13
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
14
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
15
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
16
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
17
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
18
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
19
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
20
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
21
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
22
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
23
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
24
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-kjyv-r8rk-rqd3
2
vulnerability VCID-q17h-k4dc-rka5
3
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
1
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-kjyv-r8rk-rqd3
2
vulnerability VCID-q17h-k4dc-rka5
3
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61772, GHSA-wpv5-97wm-hp9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7jqg-1whb-4kdw
3
url VCID-8txn-z2vt-7kex
vulnerability_id VCID-8txn-z2vt-7kex
summary 
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61770
reference_id
reference_type
scores
0
value 0.00266
scoring_system epss
scoring_elements 0.50221
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61770
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
5
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
6
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
reference_id 2402174
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
reference_id CVE-2025-61770
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
reference_id CVE-2025-61770.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
11
reference_url https://github.com/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-p543-xpfm-54cp
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/
url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
13
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
14
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
15
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
16
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
17
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
18
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
19
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
20
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
21
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
22
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
23
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
24
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
25
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-kjyv-r8rk-rqd3
2
vulnerability VCID-q17h-k4dc-rka5
3
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
1
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-kjyv-r8rk-rqd3
2
vulnerability VCID-q17h-k4dc-rka5
3
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61770, GHSA-p543-xpfm-54cp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-8txn-z2vt-7kex
4
url VCID-9qjs-6tck-47bh
vulnerability_id VCID-9qjs-6tck-47bh
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-49007
reference_id
reference_type
scores
0
value 0.00569
scoring_system epss
scoring_elements 0.68878
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-49007
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
5
reference_url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/
url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
reference_id 1107363
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
reference_id 2370346
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
11
reference_url https://github.com/advisories/GHSA-47m2-26rw-j2jw
reference_id GHSA-47m2-26rw-j2jw
reference_type
scores
url https://github.com/advisories/GHSA-47m2-26rw-j2jw
fixed_packages
0
url pkg:gem/rack@3.1.16
purl pkg:gem/rack@3.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-kjyv-r8rk-rqd3
6
vulnerability VCID-q17h-k4dc-rka5
7
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.16
aliases CVE-2025-49007, GHSA-47m2-26rw-j2jw
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-9qjs-6tck-47bh
5
url VCID-b83y-urzk-jqey
vulnerability_id VCID-b83y-urzk-jqey
summary
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27111
reference_id
reference_type
scores
0
value 0.00865
scoring_system epss
scoring_elements 0.75436
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27111
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
5
reference_url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
6
reference_url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
7
reference_url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
9
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
reference_id 1099546
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
reference_id 2349810
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
13
reference_url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
reference_id GHSA-8cgq-6mh2-7j6v
reference_type
scores
url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
14
reference_url https://usn.ubuntu.com/7366-1/
reference_id USN-7366-1
reference_type
scores
url https://usn.ubuntu.com/7366-1/
15
reference_url https://usn.ubuntu.com/7366-2/
reference_id USN-7366-2
reference_type
scores
url https://usn.ubuntu.com/7366-2/
fixed_packages
0
url pkg:gem/rack@3.0.13
purl pkg:gem/rack@3.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-kjyv-r8rk-rqd3
6
vulnerability VCID-q17h-k4dc-rka5
7
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13
1
url pkg:gem/rack@3.1.11
purl pkg:gem/rack@3.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-kjyv-r8rk-rqd3
6
vulnerability VCID-q17h-k4dc-rka5
7
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11
aliases CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-b83y-urzk-jqey
6
url VCID-dsxp-jp3h-g3br
vulnerability_id VCID-dsxp-jp3h-g3br
summary 
Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack.  This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected:  >= 1.3.0.
Not affected:       < 1.3.0
Fixed Versions:     3.0.9.1, 2.2.8.1

Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series

Credits
-------

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26141
reference_id
reference_type
scores
0
value 0.0041
scoring_system epss
scoring_elements 0.6162
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26141
2
reference_url https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
6
reference_url https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id 1064516
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2265594
reference_id 2265594
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2265594
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26141
reference_id CVE-2024-26141
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26141
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
reference_id CVE-2024-26141.YML
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
11
reference_url https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
reference_id GHSA-xj5v-6v4g-jfw6
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
reference_id GHSA-xj5v-6v4g-jfw6
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
13
reference_url https://security.netapp.com/advisory/ntap-20240510-0007/
reference_id ntap-20240510-0007
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/
url https://security.netapp.com/advisory/ntap-20240510-0007/
14
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
15
reference_url https://access.redhat.com/errata/RHSA-2024:1841
reference_id RHSA-2024:1841
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1841
16
reference_url https://access.redhat.com/errata/RHSA-2024:1846
reference_id RHSA-2024:1846
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1846
17
reference_url https://access.redhat.com/errata/RHSA-2024:2007
reference_id RHSA-2024:2007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2007
18
reference_url https://access.redhat.com/errata/RHSA-2024:2113
reference_id RHSA-2024:2113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2113
19
reference_url https://access.redhat.com/errata/RHSA-2024:2581
reference_id RHSA-2024:2581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2581
20
reference_url https://access.redhat.com/errata/RHSA-2024:2584
reference_id RHSA-2024:2584
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2584
21
reference_url https://access.redhat.com/errata/RHSA-2024:2953
reference_id RHSA-2024:2953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2953
22
reference_url https://access.redhat.com/errata/RHSA-2024:3431
reference_id RHSA-2024:3431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3431
23
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
24
reference_url https://usn.ubuntu.com/6837-1/
reference_id USN-6837-1
reference_type
scores
url https://usn.ubuntu.com/6837-1/
25
reference_url https://usn.ubuntu.com/6837-2/
reference_id USN-6837-2
reference_type
scores
url https://usn.ubuntu.com/6837-2/
26
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.9.1
purl pkg:gem/rack@3.0.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-b83y-urzk-jqey
6
vulnerability VCID-kake-zbut-cqdk
7
vulnerability VCID-kjyv-r8rk-rqd3
8
vulnerability VCID-q17h-k4dc-rka5
9
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1
aliases CVE-2024-26141, GHSA-xj5v-6v4g-jfw6
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dsxp-jp3h-g3br
7
url VCID-kake-zbut-cqdk
vulnerability_id VCID-kake-zbut-cqdk
summary
references
0
reference_url https://advisory.dw1.io/61
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://advisory.dw1.io/61
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-39316
reference_id
reference_type
scores
0
value 0.00833
scoring_system epss
scoring_elements 0.74907
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-39316
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:50:23Z/
url https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-39316
reference_id CVE-2024-39316
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-39316
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.yml
reference_id CVE-2024-39316.YML
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-39316.yml
7
reference_url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
reference_id GHSA-54rr-7fvw-6x8f
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:50:23Z/
url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
8
reference_url https://github.com/advisories/GHSA-cj83-2ww7-mvq7
reference_id GHSA-cj83-2ww7-mvq7
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-cj83-2ww7-mvq7
9
reference_url https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7
reference_id GHSA-cj83-2ww7-mvq7
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2024-07-03T13:50:23Z/
url https://github.com/rack/rack/security/advisories/GHSA-cj83-2ww7-mvq7
fixed_packages
0
url pkg:gem/rack@3.1.5
purl pkg:gem/rack@3.1.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-b83y-urzk-jqey
6
vulnerability VCID-kake-zbut-cqdk
7
vulnerability VCID-kjyv-r8rk-rqd3
8
vulnerability VCID-q17h-k4dc-rka5
9
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.5
aliases CVE-2024-39316, GHSA-cj83-2ww7-mvq7
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kake-zbut-cqdk
8
url VCID-kjyv-r8rk-rqd3
vulnerability_id VCID-kjyv-r8rk-rqd3
summary 
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
reference_id
reference_type
scores
0
value 0.00011
scoring_system epss
scoring_elements 0.01464
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
5
reference_url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
6
reference_url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id 1117855
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id 2403126
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
reference_id CVE-2025-61780
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
reference_id CVE-2025-61780.YML
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
11
reference_url https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r657-rxjc-j557
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements
1
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
13
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
1
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61780, GHSA-r657-rxjc-j557
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-kjyv-r8rk-rqd3
9
url VCID-q17h-k4dc-rka5
vulnerability_id VCID-q17h-k4dc-rka5
summary 
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
reference_id
reference_type
scores
0
value 0.00282
scoring_system epss
scoring_elements 0.51775
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
5
reference_url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
6
reference_url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id 1117856
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id 2403180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
reference_id CVE-2025-61919
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
reference_id CVE-2025-61919.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
11
reference_url https://github.com/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6xw4-3v39-52mm
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
13
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
14
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
15
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
16
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
17
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
18
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
19
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
20
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
21
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
22
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
23
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
24
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
25
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
26
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
27
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
28
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
1
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-q17h-k4dc-rka5
10
url VCID-qntj-y8n6-buh7
vulnerability_id VCID-qntj-y8n6-buh7
summary 
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack.  This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected:  All.
Not affected:       None
Fixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series

Credits
-------

Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2024-26146
reference_id
reference_type
scores
0
value 0.00775
scoring_system epss
scoring_elements 0.73912
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2024-26146
2
reference_url https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
6
reference_url https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
7
reference_url https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
8
reference_url https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
9
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id 1064516
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
10
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2265595
reference_id 2265595
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2265595
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26146
reference_id CVE-2024-26146
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26146
12
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
reference_id CVE-2024-26146.YML
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
13
reference_url https://github.com/advisories/GHSA-54rr-7fvw-6x8f
reference_id GHSA-54rr-7fvw-6x8f
reference_type
scores
0
value LOW
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-54rr-7fvw-6x8f
14
reference_url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
reference_id GHSA-54rr-7fvw-6x8f
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value LOW
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
15
reference_url https://security.netapp.com/advisory/ntap-20240510-0006/
reference_id ntap-20240510-0006
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/
url https://security.netapp.com/advisory/ntap-20240510-0006/
16
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
17
reference_url https://access.redhat.com/errata/RHSA-2024:1841
reference_id RHSA-2024:1841
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1841
18
reference_url https://access.redhat.com/errata/RHSA-2024:1846
reference_id RHSA-2024:1846
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1846
19
reference_url https://access.redhat.com/errata/RHSA-2024:2007
reference_id RHSA-2024:2007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2007
20
reference_url https://access.redhat.com/errata/RHSA-2024:2113
reference_id RHSA-2024:2113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2113
21
reference_url https://access.redhat.com/errata/RHSA-2024:2581
reference_id RHSA-2024:2581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2581
22
reference_url https://access.redhat.com/errata/RHSA-2024:2584
reference_id RHSA-2024:2584
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2584
23
reference_url https://access.redhat.com/errata/RHSA-2024:2953
reference_id RHSA-2024:2953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2953
24
reference_url https://access.redhat.com/errata/RHSA-2024:3431
reference_id RHSA-2024:3431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3431
25
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
26
reference_url https://usn.ubuntu.com/6837-1/
reference_id USN-6837-1
reference_type
scores
url https://usn.ubuntu.com/6837-1/
27
reference_url https://usn.ubuntu.com/6837-2/
reference_id USN-6837-2
reference_type
scores
url https://usn.ubuntu.com/6837-2/
28
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@3.0.9.1
purl pkg:gem/rack@3.0.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-b83y-urzk-jqey
6
vulnerability VCID-kake-zbut-cqdk
7
vulnerability VCID-kjyv-r8rk-rqd3
8
vulnerability VCID-q17h-k4dc-rka5
9
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1
aliases CVE-2024-26146, GHSA-54rr-7fvw-6x8f
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-qntj-y8n6-buh7
11
url VCID-xz8w-wefz-bffs
vulnerability_id VCID-xz8w-wefz-bffs
summary 
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2026-25500
reference_id
reference_type
scores
0
value 0.00025
scoring_system epss
scoring_elements 0.07548
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2026-25500
2
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
3
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
4
reference_url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/
url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
reference_id 1128480
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
reference_id 2440738
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
reference_id CVE-2026-25500
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
reference_id CVE-2026-25500.YML
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
9
reference_url https://github.com/advisories/GHSA-whrj-4476-wvmp
reference_id GHSA-whrj-4476-wvmp
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-whrj-4476-wvmp
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
reference_id GHSA-whrj-4476-wvmp
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/
url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
11
reference_url https://usn.ubuntu.com/8066-1/
reference_id USN-8066-1
reference_type
scores
url https://usn.ubuntu.com/8066-1/
fixed_packages
0
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
1
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-25500, GHSA-whrj-4476-wvmp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xz8w-wefz-bffs
Fixing_vulnerabilities
0
url VCID-peyq-bpa7-zkaj
vulnerability_id VCID-peyq-bpa7-zkaj
summary 
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2023-27539
reference_id
reference_type
scores
0
value 0.00364
scoring_system epss
scoring_elements 0.58732
published_at 2026-05-30T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2023-27539
2
reference_url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
6
reference_url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
7
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
8
reference_url https://security.netapp.com/advisory/ntap-20231208-0016
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231208-0016
9
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://www.debian.org/security/2023/dsa-5530
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
reference_id 1033264
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
reference_id 2179649
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
12
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
reference_id CVE-2023-27539
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
13
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
reference_id CVE-2023-27539.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
14
reference_url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
reference_id GHSA-c6qg-cjj8-47qp
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value LOW
scoring_system cvssv3.1_qr
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
15
reference_url https://security.netapp.com/advisory/ntap-20231208-0016/
reference_id ntap-20231208-0016
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
1
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/
url https://security.netapp.com/advisory/ntap-20231208-0016/
16
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
17
reference_url https://access.redhat.com/errata/RHSA-2023:1961
reference_id RHSA-2023:1961
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1961
18
reference_url https://access.redhat.com/errata/RHSA-2023:1981
reference_id RHSA-2023:1981
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1981
19
reference_url https://access.redhat.com/errata/RHSA-2023:2652
reference_id RHSA-2023:2652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2652
20
reference_url https://access.redhat.com/errata/RHSA-2023:3082
reference_id RHSA-2023:3082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3082
21
reference_url https://access.redhat.com/errata/RHSA-2023:3403
reference_id RHSA-2023:3403
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3403
22
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
23
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
24
reference_url https://usn.ubuntu.com/6689-1/
reference_id USN-6689-1
reference_type
scores
url https://usn.ubuntu.com/6689-1/
25
reference_url https://usn.ubuntu.com/6905-1/
reference_id USN-6905-1
reference_type
scores
url https://usn.ubuntu.com/6905-1/
26
reference_url https://usn.ubuntu.com/7036-1/
reference_id USN-7036-1
reference_type
scores
url https://usn.ubuntu.com/7036-1/
fixed_packages
0
url pkg:gem/rack@2.2.6.4
purl pkg:gem/rack@2.2.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-b83y-urzk-jqey
6
vulnerability VCID-dsxp-jp3h-g3br
7
vulnerability VCID-e3dc-w7sc-9kaj
8
vulnerability VCID-kake-zbut-cqdk
9
vulnerability VCID-kjyv-r8rk-rqd3
10
vulnerability VCID-q17h-k4dc-rka5
11
vulnerability VCID-qntj-y8n6-buh7
12
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4
1
url pkg:gem/rack@3.0.6.1
purl pkg:gem/rack@3.0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-13d1-uyw3-6bb6
1
vulnerability VCID-64cf-ysff-u7bt
2
vulnerability VCID-7jqg-1whb-4kdw
3
vulnerability VCID-8txn-z2vt-7kex
4
vulnerability VCID-9qjs-6tck-47bh
5
vulnerability VCID-b83y-urzk-jqey
6
vulnerability VCID-dsxp-jp3h-g3br
7
vulnerability VCID-kake-zbut-cqdk
8
vulnerability VCID-kjyv-r8rk-rqd3
9
vulnerability VCID-q17h-k4dc-rka5
10
vulnerability VCID-qntj-y8n6-buh7
11
vulnerability VCID-xz8w-wefz-bffs
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1
aliases CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-peyq-bpa7-zkaj
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1