Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rack@3.0
Typegem
Namespace
Namerack
Version3.0
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version3.1.20
Latest_non_vulnerable_version3.2.6
Affected_by_vulnerabilities
0
url VCID-47ja-djzb-2bbw
vulnerability_id VCID-47ja-djzb-2bbw
summary 
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
## Summary

`Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.

## Details

The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.

## Impact

An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.

## Mitigation

- Update to a version of Rack that limits the number of parameters parsed, or
- Use middleware to enforce a maximum query string size or parameter count, or
- Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.

Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-46727.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-46727.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-46727
reference_id
reference_type
scores
0
value 0.00808
scoring_system epss
scoring_elements 0.74275
published_at 2026-04-24T12:55:00Z
1
value 0.00808
scoring_system epss
scoring_elements 0.74158
published_at 2026-04-02T12:55:00Z
2
value 0.00808
scoring_system epss
scoring_elements 0.74185
published_at 2026-04-04T12:55:00Z
3
value 0.00808
scoring_system epss
scoring_elements 0.74157
published_at 2026-04-07T12:55:00Z
4
value 0.00808
scoring_system epss
scoring_elements 0.7419
published_at 2026-04-08T12:55:00Z
5
value 0.00808
scoring_system epss
scoring_elements 0.74205
published_at 2026-04-09T12:55:00Z
6
value 0.00808
scoring_system epss
scoring_elements 0.74227
published_at 2026-04-11T12:55:00Z
7
value 0.00808
scoring_system epss
scoring_elements 0.74209
published_at 2026-04-12T12:55:00Z
8
value 0.00808
scoring_system epss
scoring_elements 0.74202
published_at 2026-04-13T12:55:00Z
9
value 0.00808
scoring_system epss
scoring_elements 0.74239
published_at 2026-04-16T12:55:00Z
10
value 0.00808
scoring_system epss
scoring_elements 0.74249
published_at 2026-04-18T12:55:00Z
11
value 0.00808
scoring_system epss
scoring_elements 0.74241
published_at 2026-04-21T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-46727
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46727
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-46727
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/
url https://github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712
6
reference_url https://github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/
url https://github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3
7
reference_url https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/
url https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-05-08T14:00:33Z/
url https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-46727.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-46727.yml
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-46727
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-46727
11
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104927
reference_id 1104927
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1104927
12
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2364966
reference_id 2364966
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2364966
13
reference_url https://github.com/advisories/GHSA-gjh7-p2fx-99vx
reference_id GHSA-gjh7-p2fx-99vx
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-gjh7-p2fx-99vx
14
reference_url https://access.redhat.com/errata/RHSA-2025:7604
reference_id RHSA-2025:7604
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7604
15
reference_url https://access.redhat.com/errata/RHSA-2025:7605
reference_id RHSA-2025:7605
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7605
16
reference_url https://access.redhat.com/errata/RHSA-2025:8254
reference_id RHSA-2025:8254
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8254
17
reference_url https://access.redhat.com/errata/RHSA-2025:8256
reference_id RHSA-2025:8256
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8256
18
reference_url https://access.redhat.com/errata/RHSA-2025:8279
reference_id RHSA-2025:8279
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8279
19
reference_url https://access.redhat.com/errata/RHSA-2025:8288
reference_id RHSA-2025:8288
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8288
20
reference_url https://access.redhat.com/errata/RHSA-2025:8289
reference_id RHSA-2025:8289
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8289
21
reference_url https://access.redhat.com/errata/RHSA-2025:8290
reference_id RHSA-2025:8290
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8290
22
reference_url https://access.redhat.com/errata/RHSA-2025:8291
reference_id RHSA-2025:8291
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8291
23
reference_url https://access.redhat.com/errata/RHSA-2025:8319
reference_id RHSA-2025:8319
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8319
24
reference_url https://access.redhat.com/errata/RHSA-2025:8322
reference_id RHSA-2025:8322
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8322
25
reference_url https://access.redhat.com/errata/RHSA-2025:8323
reference_id RHSA-2025:8323
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:8323
26
reference_url https://access.redhat.com/errata/RHSA-2025:9838
reference_id RHSA-2025:9838
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:9838
27
reference_url https://usn.ubuntu.com/7507-1/
reference_id USN-7507-1
reference_type
scores
url https://usn.ubuntu.com/7507-1/
fixed_packages
0
url pkg:gem/rack@3.0.16
purl pkg:gem/rack@3.0.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7wvj-9h3p-23am
1
vulnerability VCID-9rpp-9xss-duf6
2
vulnerability VCID-azu5-jcmd-3ufx
3
vulnerability VCID-c5sc-7qnn-mkb9
4
vulnerability VCID-d58r-22kr-9bct
5
vulnerability VCID-npag-sz7d-v7b6
6
vulnerability VCID-s971-gkdg-jkhc
7
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.16
1
url pkg:gem/rack@3.1.14
purl pkg:gem/rack@3.1.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-7wvj-9h3p-23am
1
vulnerability VCID-9rpp-9xss-duf6
2
vulnerability VCID-azu5-jcmd-3ufx
3
vulnerability VCID-c5sc-7qnn-mkb9
4
vulnerability VCID-d58r-22kr-9bct
5
vulnerability VCID-npag-sz7d-v7b6
6
vulnerability VCID-s971-gkdg-jkhc
7
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.14
aliases CVE-2025-46727, GHSA-gjh7-p2fx-99vx
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-47ja-djzb-2bbw
1
url VCID-7p12-ejdu-uqgy
vulnerability_id VCID-7p12-ejdu-uqgy
summary 
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary

`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.

## Details

The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

## Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

## Mitigation

- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27111
reference_id
reference_type
scores
0
value 0.00429
scoring_system epss
scoring_elements 0.62496
published_at 2026-04-09T12:55:00Z
1
value 0.00429
scoring_system epss
scoring_elements 0.62516
published_at 2026-04-11T12:55:00Z
2
value 0.00429
scoring_system epss
scoring_elements 0.6248
published_at 2026-04-08T12:55:00Z
3
value 0.00429
scoring_system epss
scoring_elements 0.62429
published_at 2026-04-07T12:55:00Z
4
value 0.00429
scoring_system epss
scoring_elements 0.62462
published_at 2026-04-04T12:55:00Z
5
value 0.00429
scoring_system epss
scoring_elements 0.62431
published_at 2026-04-02T12:55:00Z
6
value 0.00575
scoring_system epss
scoring_elements 0.68747
published_at 2026-04-13T12:55:00Z
7
value 0.00604
scoring_system epss
scoring_elements 0.6959
published_at 2026-04-12T12:55:00Z
8
value 0.00668
scoring_system epss
scoring_elements 0.71305
published_at 2026-04-21T12:55:00Z
9
value 0.00668
scoring_system epss
scoring_elements 0.71326
published_at 2026-04-18T12:55:00Z
10
value 0.00668
scoring_system epss
scoring_elements 0.7132
published_at 2026-04-16T12:55:00Z
11
value 0.008
scoring_system epss
scoring_elements 0.74135
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27111
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
6
reference_url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
7
reference_url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
reference_id
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
1
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
2
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/
url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
10
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
11
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
12
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
reference_id 1099546
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
13
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
reference_id 2349810
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
14
reference_url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
reference_id GHSA-8cgq-6mh2-7j6v
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
15
reference_url https://usn.ubuntu.com/7366-1/
reference_id USN-7366-1
reference_type
scores
url https://usn.ubuntu.com/7366-1/
16
reference_url https://usn.ubuntu.com/7366-2/
reference_id USN-7366-2
reference_type
scores
url https://usn.ubuntu.com/7366-2/
fixed_packages
0
url pkg:gem/rack@3.0.13
purl pkg:gem/rack@3.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7wvj-9h3p-23am
2
vulnerability VCID-9rpp-9xss-duf6
3
vulnerability VCID-azu5-jcmd-3ufx
4
vulnerability VCID-c5sc-7qnn-mkb9
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-npag-sz7d-v7b6
7
vulnerability VCID-s971-gkdg-jkhc
8
vulnerability VCID-skxv-7he3-xqgc
9
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13
1
url pkg:gem/rack@3.1.11
purl pkg:gem/rack@3.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7wvj-9h3p-23am
2
vulnerability VCID-9rpp-9xss-duf6
3
vulnerability VCID-azu5-jcmd-3ufx
4
vulnerability VCID-c5sc-7qnn-mkb9
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-npag-sz7d-v7b6
7
vulnerability VCID-s971-gkdg-jkhc
8
vulnerability VCID-skxv-7he3-xqgc
9
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11
aliases CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7p12-ejdu-uqgy
2
url VCID-d58r-22kr-9bct
vulnerability_id VCID-d58r-22kr-9bct
summary 
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
reference_id
reference_type
scores
0
value 0.00035
scoring_system epss
scoring_elements 0.10351
published_at 2026-04-24T12:55:00Z
1
value 0.00035
scoring_system epss
scoring_elements 0.10369
published_at 2026-04-21T12:55:00Z
2
value 0.00035
scoring_system epss
scoring_elements 0.10238
published_at 2026-04-18T12:55:00Z
3
value 0.00035
scoring_system epss
scoring_elements 0.10267
published_at 2026-04-16T12:55:00Z
4
value 0.00035
scoring_system epss
scoring_elements 0.10396
published_at 2026-04-13T12:55:00Z
5
value 0.00035
scoring_system epss
scoring_elements 0.10418
published_at 2026-04-12T12:55:00Z
6
value 0.00035
scoring_system epss
scoring_elements 0.10462
published_at 2026-04-11T12:55:00Z
7
value 0.00035
scoring_system epss
scoring_elements 0.10434
published_at 2026-04-09T12:55:00Z
8
value 0.00035
scoring_system epss
scoring_elements 0.10368
published_at 2026-04-08T12:55:00Z
9
value 0.00035
scoring_system epss
scoring_elements 0.10294
published_at 2026-04-07T12:55:00Z
10
value 0.00035
scoring_system epss
scoring_elements 0.10394
published_at 2026-04-04T12:55:00Z
11
value 0.00035
scoring_system epss
scoring_elements 0.10328
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61780
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
6
reference_url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
7
reference_url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id 1117855
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id 2403126
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
reference_id CVE-2025-61780
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
reference_id CVE-2025-61780.YML
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
12
reference_url https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-r657-rxjc-j557
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements
1
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value MODERATE
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/
url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
14
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
1
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61780, GHSA-r657-rxjc-j557
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct
3
url VCID-s971-gkdg-jkhc
vulnerability_id VCID-s971-gkdg-jkhc
summary 
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
reference_id
reference_type
scores
0
value 0.00221
scoring_system epss
scoring_elements 0.44632
published_at 2026-04-24T12:55:00Z
1
value 0.00221
scoring_system epss
scoring_elements 0.44713
published_at 2026-04-21T12:55:00Z
2
value 0.00221
scoring_system epss
scoring_elements 0.44784
published_at 2026-04-18T12:55:00Z
3
value 0.00221
scoring_system epss
scoring_elements 0.44791
published_at 2026-04-16T12:55:00Z
4
value 0.00221
scoring_system epss
scoring_elements 0.44737
published_at 2026-04-13T12:55:00Z
5
value 0.00221
scoring_system epss
scoring_elements 0.44735
published_at 2026-04-12T12:55:00Z
6
value 0.00221
scoring_system epss
scoring_elements 0.44767
published_at 2026-04-11T12:55:00Z
7
value 0.00221
scoring_system epss
scoring_elements 0.4475
published_at 2026-04-09T12:55:00Z
8
value 0.00221
scoring_system epss
scoring_elements 0.44748
published_at 2026-04-08T12:55:00Z
9
value 0.00221
scoring_system epss
scoring_elements 0.44695
published_at 2026-04-07T12:55:00Z
10
value 0.00221
scoring_system epss
scoring_elements 0.44756
published_at 2026-04-04T12:55:00Z
11
value 0.00221
scoring_system epss
scoring_elements 0.44736
published_at 2026-04-02T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-61919
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
6
reference_url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
7
reference_url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id 1117856
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id 2403180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
reference_id CVE-2025-61919
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
reference_id CVE-2025-61919.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
12
reference_url https://github.com/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-6xw4-3v39-52mm
13
reference_url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/
url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
14
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
15
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
16
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
17
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
18
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
19
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
20
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
21
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
22
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
23
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
24
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
25
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
26
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
27
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
28
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
29
reference_url https://usn.ubuntu.com/7960-1/
reference_id USN-7960-1
reference_type
scores
url https://usn.ubuntu.com/7960-1/
fixed_packages
0
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
1
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-9rpp-9xss-duf6
1
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc
4
url VCID-w732-52bx-2qf8
vulnerability_id VCID-w732-52bx-2qf8
summary 
Possible Log Injection in Rack::CommonLogger
## Summary

`Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

## Details

When a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

## Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

## Mitigation

- Update to the latest version of Rack.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25184.json
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25184.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-25184
reference_id
reference_type
scores
0
value 0.00957
scoring_system epss
scoring_elements 0.7651
published_at 2026-04-24T12:55:00Z
1
value 0.01039
scoring_system epss
scoring_elements 0.77416
published_at 2026-04-13T12:55:00Z
2
value 0.01039
scoring_system epss
scoring_elements 0.77375
published_at 2026-04-07T12:55:00Z
3
value 0.01039
scoring_system epss
scoring_elements 0.77446
published_at 2026-04-21T12:55:00Z
4
value 0.01039
scoring_system epss
scoring_elements 0.77454
published_at 2026-04-18T12:55:00Z
5
value 0.01039
scoring_system epss
scoring_elements 0.77455
published_at 2026-04-16T12:55:00Z
6
value 0.01039
scoring_system epss
scoring_elements 0.77405
published_at 2026-04-08T12:55:00Z
7
value 0.01039
scoring_system epss
scoring_elements 0.77414
published_at 2026-04-09T12:55:00Z
8
value 0.01039
scoring_system epss
scoring_elements 0.7744
published_at 2026-04-11T12:55:00Z
9
value 0.01039
scoring_system epss
scoring_elements 0.7742
published_at 2026-04-12T12:55:00Z
10
value 0.01068
scoring_system epss
scoring_elements 0.77658
published_at 2026-04-02T12:55:00Z
11
value 0.01068
scoring_system epss
scoring_elements 0.77685
published_at 2026-04-04T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-25184
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25184
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25184
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 4.3
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
3
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/
url https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3
scoring_elements
1
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
2
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
3
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
4
value MODERATE
scoring_system generic_textual
scoring_elements
5
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/
url https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.yml
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-25184
reference_id
reference_type
scores
0
value 6.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
1
value 5.7
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-25184
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257
reference_id 1098257
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2345301
reference_id 2345301
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2345301
12
reference_url https://github.com/advisories/GHSA-7g2v-jj9q-g3rg
reference_id GHSA-7g2v-jj9q-g3rg
reference_type
scores
0
value MODERATE
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7g2v-jj9q-g3rg
13
reference_url https://access.redhat.com/errata/RHSA-2025:1985
reference_id RHSA-2025:1985
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:1985
14
reference_url https://access.redhat.com/errata/RHSA-2025:7085
reference_id RHSA-2025:7085
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:7085
15
reference_url https://usn.ubuntu.com/7366-1/
reference_id USN-7366-1
reference_type
scores
url https://usn.ubuntu.com/7366-1/
16
reference_url https://usn.ubuntu.com/7366-2/
reference_id USN-7366-2
reference_type
scores
url https://usn.ubuntu.com/7366-2/
fixed_packages
0
url pkg:gem/rack@3.0.12
purl pkg:gem/rack@3.0.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-9rpp-9xss-duf6
4
vulnerability VCID-azu5-jcmd-3ufx
5
vulnerability VCID-c5sc-7qnn-mkb9
6
vulnerability VCID-d58r-22kr-9bct
7
vulnerability VCID-npag-sz7d-v7b6
8
vulnerability VCID-s971-gkdg-jkhc
9
vulnerability VCID-skxv-7he3-xqgc
10
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.12
1
url pkg:gem/rack@3.1.10
purl pkg:gem/rack@3.1.10
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7p12-ejdu-uqgy
2
vulnerability VCID-7wvj-9h3p-23am
3
vulnerability VCID-9rpp-9xss-duf6
4
vulnerability VCID-azu5-jcmd-3ufx
5
vulnerability VCID-c5sc-7qnn-mkb9
6
vulnerability VCID-d58r-22kr-9bct
7
vulnerability VCID-npag-sz7d-v7b6
8
vulnerability VCID-s971-gkdg-jkhc
9
vulnerability VCID-skxv-7he3-xqgc
10
vulnerability VCID-wt7k-s1yd-nke6
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.10
aliases CVE-2025-25184, GHSA-7g2v-jj9q-g3rg
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-w732-52bx-2qf8
5
url VCID-wt7k-s1yd-nke6
vulnerability_id VCID-wt7k-s1yd-nke6
summary 
Local File Inclusion in Rack::Static
## Summary

`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.

## Details

The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.

## Impact

By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.

## Mitigation

- Update to the latest version of Rack, or
- Remove usage of `Rack::Static`, or
- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.

It is likely that a CDN or similar static file server would also mitigate the issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json
1
reference_url https://api.first.org/data/v1/epss?cve=CVE-2025-27610
reference_id
reference_type
scores
0
value 0.00415
scoring_system epss
scoring_elements 0.61611
published_at 2026-04-07T12:55:00Z
1
value 0.00415
scoring_system epss
scoring_elements 0.61659
published_at 2026-04-08T12:55:00Z
2
value 0.00415
scoring_system epss
scoring_elements 0.6164
published_at 2026-04-04T12:55:00Z
3
value 0.00415
scoring_system epss
scoring_elements 0.61706
published_at 2026-04-16T12:55:00Z
4
value 0.00415
scoring_system epss
scoring_elements 0.61664
published_at 2026-04-13T12:55:00Z
5
value 0.00415
scoring_system epss
scoring_elements 0.61684
published_at 2026-04-12T12:55:00Z
6
value 0.00415
scoring_system epss
scoring_elements 0.61695
published_at 2026-04-11T12:55:00Z
7
value 0.00415
scoring_system epss
scoring_elements 0.61674
published_at 2026-04-09T12:55:00Z
8
value 0.00518
scoring_system epss
scoring_elements 0.6681
published_at 2026-04-18T12:55:00Z
9
value 0.01416
scoring_system epss
scoring_elements 0.80591
published_at 2026-04-21T12:55:00Z
10
value 0.01694
scoring_system epss
scoring_elements 0.8232
published_at 2026-04-24T12:55:00Z
url https://api.first.org/data/v1/epss?cve=CVE-2025-27610
2
reference_url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27610
reference_id
reference_type
scores
url https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27610
3
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
4
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
5
reference_url https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
2
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:22:45Z/
url https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583
6
reference_url https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
3
value HIGH
scoring_system generic_textual
scoring_elements
4
value Track
scoring_system ssvc
scoring_elements SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:22:45Z/
url https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
7
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml
8
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27610
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27610
10
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444
reference_id 1100444
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444
11
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2351231
reference_id 2351231
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2351231
12
reference_url https://github.com/advisories/GHSA-7wqh-767x-r66v
reference_id GHSA-7wqh-767x-r66v
reference_type
scores
0
value HIGH
scoring_system cvssv3.1_qr
scoring_elements
url https://github.com/advisories/GHSA-7wqh-767x-r66v
13
reference_url https://access.redhat.com/errata/RHSA-2025:3448
reference_id RHSA-2025:3448
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3448
14
reference_url https://access.redhat.com/errata/RHSA-2025:3490
reference_id RHSA-2025:3490
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3490
15
reference_url https://access.redhat.com/errata/RHSA-2025:3491
reference_id RHSA-2025:3491
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3491
16
reference_url https://access.redhat.com/errata/RHSA-2025:3492
reference_id RHSA-2025:3492
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3492
17
reference_url https://access.redhat.com/errata/RHSA-2025:3906
reference_id RHSA-2025:3906
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3906
18
reference_url https://access.redhat.com/errata/RHSA-2025:4576
reference_id RHSA-2025:4576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4576
19
reference_url https://usn.ubuntu.com/7366-1/
reference_id USN-7366-1
reference_type
scores
url https://usn.ubuntu.com/7366-1/
20
reference_url https://usn.ubuntu.com/7366-2/
reference_id USN-7366-2
reference_type
scores
url https://usn.ubuntu.com/7366-2/
fixed_packages
0
url pkg:gem/rack@3.0.14
purl pkg:gem/rack@3.0.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7wvj-9h3p-23am
2
vulnerability VCID-9rpp-9xss-duf6
3
vulnerability VCID-azu5-jcmd-3ufx
4
vulnerability VCID-c5sc-7qnn-mkb9
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-npag-sz7d-v7b6
7
vulnerability VCID-s971-gkdg-jkhc
8
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.14
1
url pkg:gem/rack@3.1.12
purl pkg:gem/rack@3.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-47ja-djzb-2bbw
1
vulnerability VCID-7wvj-9h3p-23am
2
vulnerability VCID-9rpp-9xss-duf6
3
vulnerability VCID-azu5-jcmd-3ufx
4
vulnerability VCID-c5sc-7qnn-mkb9
5
vulnerability VCID-d58r-22kr-9bct
6
vulnerability VCID-npag-sz7d-v7b6
7
vulnerability VCID-s971-gkdg-jkhc
8
vulnerability VCID-skxv-7he3-xqgc
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.12
aliases CVE-2025-27610, GHSA-7wqh-767x-r66v
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-wt7k-s1yd-nke6
Fixing_vulnerabilities
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0