Django REST framework

Package Instance

Lookup for vulnerable packages by Package URL.

Purlpkg:gem/rack@2.2.6.3
Typegem
Namespace
Namerack
Version2.2.6.3
Qualifiers
Subpath
Is_vulnerabletrue
Next_non_vulnerable_version2.2.23
Latest_non_vulnerable_version3.2.6
Affected_by_vulnerabilities
0
url VCID-3jru-u17n-tyg1
vulnerability_id VCID-3jru-u17n-tyg1
summary 
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
3
reference_url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
4
reference_url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
reference_id
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id 1117855
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id 2403126
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403126
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
reference_id CVE-2025-61780
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
reference_id CVE-2025-61780.YML
reference_type
scores
0
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
9
reference_url https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
url https://github.com/advisories/GHSA-r657-rxjc-j557
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
0
value 5.8
scoring_system cvssv3
scoring_elements
1
value 5.8
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
fixed_packages
0
url pkg:gem/rack@2.2.20
purl pkg:gem/rack@2.2.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20
1
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
2
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61780, GHSA-r657-rxjc-j557
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3jru-u17n-tyg1
1
url VCID-52qe-dast-tkhu
vulnerability_id VCID-52qe-dast-tkhu
summary 
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack.  This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected:  All.
Not affected:       None
Fixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series

Credits
-------

Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches!
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json
1
reference_url https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942
2
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
3
reference_url https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716
4
reference_url https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582
5
reference_url https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f
6
reference_url https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id 1064516
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2265595
reference_id 2265595
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2265595
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26146
reference_id CVE-2024-26146
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26146
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
reference_id CVE-2024-26146.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml
11
reference_url https://github.com/advisories/GHSA-54rr-7fvw-6x8f
reference_id GHSA-54rr-7fvw-6x8f
reference_type
scores
url https://github.com/advisories/GHSA-54rr-7fvw-6x8f
12
reference_url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
reference_id GHSA-54rr-7fvw-6x8f
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f
13
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
14
reference_url https://access.redhat.com/errata/RHSA-2024:1841
reference_id RHSA-2024:1841
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1841
15
reference_url https://access.redhat.com/errata/RHSA-2024:1846
reference_id RHSA-2024:1846
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1846
16
reference_url https://access.redhat.com/errata/RHSA-2024:2007
reference_id RHSA-2024:2007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2007
17
reference_url https://access.redhat.com/errata/RHSA-2024:2113
reference_id RHSA-2024:2113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2113
18
reference_url https://access.redhat.com/errata/RHSA-2024:2581
reference_id RHSA-2024:2581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2581
19
reference_url https://access.redhat.com/errata/RHSA-2024:2584
reference_id RHSA-2024:2584
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2584
20
reference_url https://access.redhat.com/errata/RHSA-2024:2953
reference_id RHSA-2024:2953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2953
21
reference_url https://access.redhat.com/errata/RHSA-2024:3431
reference_id RHSA-2024:3431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3431
fixed_packages
0
url pkg:gem/rack@2.2.8.1
purl pkg:gem/rack@2.2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-amfu-8d25-juhy
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-dss4-6ptr-83av
5
vulnerability VCID-e11g-k7zm-vkhu
6
vulnerability VCID-k8fr-zuyx-yyhg
7
vulnerability VCID-vk15-7qdb-xkh9
8
vulnerability VCID-x373-rhh4-7khm
9
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1
1
url pkg:gem/rack@3.0.9.1
purl pkg:gem/rack@3.0.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-vk15-7qdb-xkh9
7
vulnerability VCID-x373-rhh4-7khm
8
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1
aliases CVE-2024-26146, GHSA-54rr-7fvw-6x8f
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-52qe-dast-tkhu
2
url VCID-7cef-z5qm-afd8
vulnerability_id VCID-7cef-z5qm-afd8
summary 
ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary

There is a denial of service vulnerability in the
Content-Disposition parsing component of Rack. This is very
similar to the previous security issue CVE-2022-44571.

### Details

Carefully crafted input can cause Content-Disposition header
parsing in Rack to take an unexpected amount of time, possibly
resulting in a denial of service attack vector. This header is
used typically used in multipart parsing. Any applications that
parse multipart posts using Rack (virtually all Rails applications)
are impacted.

### Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
this to the Rails security team
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
3
reference_url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
4
reference_url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
reference_id
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
reference_id 1107363
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
reference_id 2370346
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2370346
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
reference_id CVE-2025-49007
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-49007
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
reference_id CVE-2025-49007.YML
reference_type
scores
0
value 6.6
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml
9
reference_url https://github.com/advisories/GHSA-47m2-26rw-j2jw
reference_id GHSA-47m2-26rw-j2jw
reference_type
scores
url https://github.com/advisories/GHSA-47m2-26rw-j2jw
fixed_packages
0
url pkg:gem/rack@3.1.16
purl pkg:gem/rack@3.1.16
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-x373-rhh4-7khm
7
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.16
aliases CVE-2025-49007, GHSA-47m2-26rw-j2jw
risk_score 3.4
exploitability 0.5
weighted_severity 6.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7cef-z5qm-afd8
3
url VCID-amfu-8d25-juhy
vulnerability_id VCID-amfu-8d25-juhy
summary 
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
3
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431
reference_id 1116431
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2398167
reference_id 2398167
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2398167
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-59830
reference_id CVE-2025-59830
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-59830
6
reference_url https://github.com/advisories/GHSA-625h-95r8-8xpm
reference_id GHSA-625h-95r8-8xpm
reference_type
scores
url https://github.com/advisories/GHSA-625h-95r8-8xpm
7
reference_url https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
reference_id GHSA-625h-95r8-8xpm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
8
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
9
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
10
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
11
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
12
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
13
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
14
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
15
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
16
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
17
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
18
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
19
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
20
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
21
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
fixed_packages
0
url pkg:gem/rack@2.2.18
purl pkg:gem/rack@2.2.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-dss4-6ptr-83av
3
vulnerability VCID-e11g-k7zm-vkhu
4
vulnerability VCID-k8fr-zuyx-yyhg
5
vulnerability VCID-x373-rhh4-7khm
6
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.18
1
url pkg:gem/rack@3.0.0.beta1
purl pkg:gem/rack@3.0.0.beta1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-bqpn-m2fh-9kab
5
vulnerability VCID-c9mc-7nts-cfgy
6
vulnerability VCID-dss4-6ptr-83av
7
vulnerability VCID-e11g-k7zm-vkhu
8
vulnerability VCID-ebb6-b5tx-5bhf
9
vulnerability VCID-heu4-cd3d-73ck
10
vulnerability VCID-hpw3-uw3x-mqgq
11
vulnerability VCID-k8fr-zuyx-yyhg
12
vulnerability VCID-pydr-47y4-y3fu
13
vulnerability VCID-u1u4-7b3v-fue7
14
vulnerability VCID-vk15-7qdb-xkh9
15
vulnerability VCID-x373-rhh4-7khm
16
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1
aliases CVE-2025-59830, GHSA-625h-95r8-8xpm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amfu-8d25-juhy
4
url VCID-bj83-rx84-v3g9
vulnerability_id VCID-bj83-rx84-v3g9
summary 
Rack has a Directory Traversal via Rack:Directory
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
3
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
reference_id 1128479
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
reference_id 2440737
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440737
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
reference_id CVE-2026-22860
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-22860
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
reference_id CVE-2026-22860.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
7
reference_url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
reference_id GHSA-mxw3-3hh2-x2mh
reference_type
scores
url https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
reference_id GHSA-mxw3-3hh2-x2mh
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
fixed_packages
0
url pkg:gem/rack@2.2.22
purl pkg:gem/rack@2.2.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22
1
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
2
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bj83-rx84-v3g9
5
url VCID-bqpn-m2fh-9kab
vulnerability_id VCID-bqpn-m2fh-9kab
summary 
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json
1
reference_url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466
2
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
3
reference_url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c
4
reference_url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff
5
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
6
reference_url https://security.netapp.com/advisory/ntap-20231208-0016
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231208-0016
7
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5530
8
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
reference_id 1033264
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264
9
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
reference_id 2179649
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2179649
10
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
reference_id CVE-2023-27539
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27539
11
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
reference_id CVE-2023-27539.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml
12
reference_url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
reference_id GHSA-c6qg-cjj8-47qp
reference_type
scores
url https://github.com/advisories/GHSA-c6qg-cjj8-47qp
13
reference_url https://access.redhat.com/errata/RHSA-2023:1953
reference_id RHSA-2023:1953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1953
14
reference_url https://access.redhat.com/errata/RHSA-2023:1961
reference_id RHSA-2023:1961
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1961
15
reference_url https://access.redhat.com/errata/RHSA-2023:1981
reference_id RHSA-2023:1981
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1981
16
reference_url https://access.redhat.com/errata/RHSA-2023:2652
reference_id RHSA-2023:2652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2652
17
reference_url https://access.redhat.com/errata/RHSA-2023:3082
reference_id RHSA-2023:3082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3082
18
reference_url https://access.redhat.com/errata/RHSA-2023:3403
reference_id RHSA-2023:3403
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3403
19
reference_url https://access.redhat.com/errata/RHSA-2023:3495
reference_id RHSA-2023:3495
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3495
20
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/rack@2.2.6.4
purl pkg:gem/rack@2.2.6.4
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-amfu-8d25-juhy
4
vulnerability VCID-bj83-rx84-v3g9
5
vulnerability VCID-dss4-6ptr-83av
6
vulnerability VCID-e11g-k7zm-vkhu
7
vulnerability VCID-heu4-cd3d-73ck
8
vulnerability VCID-k8fr-zuyx-yyhg
9
vulnerability VCID-vk15-7qdb-xkh9
10
vulnerability VCID-x373-rhh4-7khm
11
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4
1
url pkg:gem/rack@3.0.6.1
purl pkg:gem/rack@3.0.6.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-dss4-6ptr-83av
5
vulnerability VCID-e11g-k7zm-vkhu
6
vulnerability VCID-heu4-cd3d-73ck
7
vulnerability VCID-k8fr-zuyx-yyhg
8
vulnerability VCID-vk15-7qdb-xkh9
9
vulnerability VCID-x373-rhh4-7khm
10
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1
aliases CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bqpn-m2fh-9kab
6
url VCID-dss4-6ptr-83av
vulnerability_id VCID-dss4-6ptr-83av
summary 
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
3
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
4
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
reference_id 1117628
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
reference_id 2402175
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402175
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
reference_id CVE-2025-61771
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61771
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
reference_id CVE-2025-61771.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
9
reference_url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
url https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
reference_id GHSA-w9pc-fmgc-vxvw
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
11
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
12
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
13
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
14
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
15
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
16
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
17
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
18
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
19
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
20
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
fixed_packages
0
url pkg:gem/rack@2.2.19
purl pkg:gem/rack@2.2.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19
1
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
2
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dss4-6ptr-83av
7
url VCID-e11g-k7zm-vkhu
vulnerability_id VCID-e11g-k7zm-vkhu
summary 
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
3
reference_url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
4
reference_url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id 1117856
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id 2403180
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2403180
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
reference_id CVE-2025-61919
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61919
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
reference_id CVE-2025-61919.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
9
reference_url https://github.com/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
url https://github.com/advisories/GHSA-6xw4-3v39-52mm
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
reference_id GHSA-6xw4-3v39-52mm
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
11
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
12
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
13
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
14
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
15
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
16
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
17
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
18
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
19
reference_url https://access.redhat.com/errata/RHSA-2025:19832
reference_id RHSA-2025:19832
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19832
20
reference_url https://access.redhat.com/errata/RHSA-2025:19855
reference_id RHSA-2025:19855
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19855
21
reference_url https://access.redhat.com/errata/RHSA-2025:19856
reference_id RHSA-2025:19856
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19856
22
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
23
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
24
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
25
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
fixed_packages
0
url pkg:gem/rack@2.2.20
purl pkg:gem/rack@2.2.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20
1
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
2
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e11g-k7zm-vkhu
8
url VCID-heu4-cd3d-73ck
vulnerability_id VCID-heu4-cd3d-73ck
summary 
Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack

There is a possible DoS vulnerability relating to the Range request header in
Rack.  This vulnerability has been assigned the CVE identifier CVE-2024-26141.

Versions Affected:  >= 1.3.0.
Not affected:       < 1.3.0
Fixed Versions:     3.0.9.1, 2.2.8.1

Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.

Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series

Credits
-------

Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json
1
reference_url https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944
2
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
3
reference_url https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9
4
reference_url https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
reference_id
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id 1064516
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2265594
reference_id 2265594
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2265594
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2024-26141
reference_id CVE-2024-26141
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2024-26141
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
reference_id CVE-2024-26141.YML
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml
9
reference_url https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
reference_id GHSA-xj5v-6v4g-jfw6
reference_type
scores
url https://github.com/advisories/GHSA-xj5v-6v4g-jfw6
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
reference_id GHSA-xj5v-6v4g-jfw6
reference_type
scores
0
value LOW
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6
11
reference_url https://access.redhat.com/errata/RHSA-2024:10806
reference_id RHSA-2024:10806
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:10806
12
reference_url https://access.redhat.com/errata/RHSA-2024:1841
reference_id RHSA-2024:1841
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1841
13
reference_url https://access.redhat.com/errata/RHSA-2024:1846
reference_id RHSA-2024:1846
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:1846
14
reference_url https://access.redhat.com/errata/RHSA-2024:2007
reference_id RHSA-2024:2007
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2007
15
reference_url https://access.redhat.com/errata/RHSA-2024:2113
reference_id RHSA-2024:2113
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2113
16
reference_url https://access.redhat.com/errata/RHSA-2024:2581
reference_id RHSA-2024:2581
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2581
17
reference_url https://access.redhat.com/errata/RHSA-2024:2584
reference_id RHSA-2024:2584
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2584
18
reference_url https://access.redhat.com/errata/RHSA-2024:2953
reference_id RHSA-2024:2953
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:2953
19
reference_url https://access.redhat.com/errata/RHSA-2024:3431
reference_id RHSA-2024:3431
reference_type
scores
url https://access.redhat.com/errata/RHSA-2024:3431
fixed_packages
0
url pkg:gem/rack@2.2.8.1
purl pkg:gem/rack@2.2.8.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-amfu-8d25-juhy
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-dss4-6ptr-83av
5
vulnerability VCID-e11g-k7zm-vkhu
6
vulnerability VCID-k8fr-zuyx-yyhg
7
vulnerability VCID-vk15-7qdb-xkh9
8
vulnerability VCID-x373-rhh4-7khm
9
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1
1
url pkg:gem/rack@3.0.9.1
purl pkg:gem/rack@3.0.9.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-vk15-7qdb-xkh9
7
vulnerability VCID-x373-rhh4-7khm
8
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1
aliases CVE-2024-26141, GHSA-xj5v-6v4g-jfw6
risk_score 2.4
exploitability 0.5
weighted_severity 4.8
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-heu4-cd3d-73ck
9
url VCID-k8fr-zuyx-yyhg
vulnerability_id VCID-k8fr-zuyx-yyhg
summary 
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
3
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
4
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
reference_id 2402200
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402200
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
reference_id CVE-2025-61772
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61772
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
reference_id CVE-2025-61772.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml
9
reference_url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
url https://github.com/advisories/GHSA-wpv5-97wm-hp9c
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
reference_id GHSA-wpv5-97wm-hp9c
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
11
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
12
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
13
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
14
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
15
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
16
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
17
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
18
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
19
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
20
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
21
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
fixed_packages
0
url pkg:gem/rack@2.2.19
purl pkg:gem/rack@2.2.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19
1
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
2
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61772, GHSA-wpv5-97wm-hp9c
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fr-zuyx-yyhg
10
url VCID-vk15-7qdb-xkh9
vulnerability_id VCID-vk15-7qdb-xkh9
summary 
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary

`Rack::Sendfile` can be exploited by crafting input that
includes newline characters to manipulate log entries.

## Details

The `Rack::Sendfile` middleware logs unsanitized header values from
the `X-Sendfile-Type` header. An attacker can exploit this by
injecting escape sequences (such as newline characters) into the
header, resulting in log injection.

## Impact

This vulnerability can distort log files, obscure
attack traces, and complicate security auditing.

## Mitigation

- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
reference_id
reference_type
scores
0
value 5.3
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
3
reference_url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
4
reference_url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
5
reference_url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
6
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
7
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
reference_id 1099546
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
8
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
reference_id 2349810
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2349810
9
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
reference_id CVE-2025-27111
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27111
10
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
reference_id CVE-2025-27111.YML
reference_type
scores
0
value 6.9
scoring_system cvssv4
scoring_elements CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
11
reference_url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
reference_id GHSA-8cgq-6mh2-7j6v
reference_type
scores
url https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
fixed_packages
0
url pkg:gem/rack@2.2.12
purl pkg:gem/rack@2.2.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-amfu-8d25-juhy
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-dss4-6ptr-83av
5
vulnerability VCID-e11g-k7zm-vkhu
6
vulnerability VCID-k8fr-zuyx-yyhg
7
vulnerability VCID-x373-rhh4-7khm
8
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.12
1
url pkg:gem/rack@3.0.13
purl pkg:gem/rack@3.0.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-x373-rhh4-7khm
7
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13
2
url pkg:gem/rack@3.1.11
purl pkg:gem/rack@3.1.11
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-x373-rhh4-7khm
7
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11
aliases CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vk15-7qdb-xkh9
11
url VCID-x373-rhh4-7khm
vulnerability_id VCID-x373-rhh4-7khm
summary 
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
reference_id
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
3
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
reference_id 1128480
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
4
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
reference_id 2440738
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2440738
5
reference_url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
reference_id CVE-2026-25500
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2026-25500
6
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
reference_id CVE-2026-25500.YML
reference_type
scores
0
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
1
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
7
reference_url https://github.com/advisories/GHSA-whrj-4476-wvmp
reference_id GHSA-whrj-4476-wvmp
reference_type
scores
url https://github.com/advisories/GHSA-whrj-4476-wvmp
8
reference_url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
reference_id GHSA-whrj-4476-wvmp
reference_type
scores
0
value 5.4
scoring_system cvssv3
scoring_elements
1
value 5.4
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
2
value MODERATE
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
fixed_packages
0
url pkg:gem/rack@2.2.22
purl pkg:gem/rack@2.2.22
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22
1
url pkg:gem/rack@3.1.20
purl pkg:gem/rack@3.1.20
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20
2
url pkg:gem/rack@3.2.5
purl pkg:gem/rack@3.2.5
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-bj83-rx84-v3g9
1
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5
aliases CVE-2026-25500, GHSA-whrj-4476-wvmp
risk_score 3.1
exploitability 0.5
weighted_severity 6.2
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x373-rhh4-7khm
12
url VCID-xpa3-1n87-8ucv
vulnerability_id VCID-xpa3-1n87-8ucv
summary 
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json
1
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
2
reference_url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
3
reference_url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
4
reference_url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
5
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id 1117627
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
6
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
reference_id 2402174
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2402174
7
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
reference_id CVE-2025-61770
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-61770
8
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
reference_id CVE-2025-61770.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml
9
reference_url https://github.com/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
url https://github.com/advisories/GHSA-p543-xpfm-54cp
10
reference_url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
reference_id GHSA-p543-xpfm-54cp
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
11
reference_url https://access.redhat.com/errata/RHSA-2025:19512
reference_id RHSA-2025:19512
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19512
12
reference_url https://access.redhat.com/errata/RHSA-2025:19513
reference_id RHSA-2025:19513
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19513
13
reference_url https://access.redhat.com/errata/RHSA-2025:19647
reference_id RHSA-2025:19647
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19647
14
reference_url https://access.redhat.com/errata/RHSA-2025:19719
reference_id RHSA-2025:19719
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19719
15
reference_url https://access.redhat.com/errata/RHSA-2025:19733
reference_id RHSA-2025:19733
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19733
16
reference_url https://access.redhat.com/errata/RHSA-2025:19734
reference_id RHSA-2025:19734
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19734
17
reference_url https://access.redhat.com/errata/RHSA-2025:19736
reference_id RHSA-2025:19736
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19736
18
reference_url https://access.redhat.com/errata/RHSA-2025:19800
reference_id RHSA-2025:19800
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19800
19
reference_url https://access.redhat.com/errata/RHSA-2025:19948
reference_id RHSA-2025:19948
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:19948
20
reference_url https://access.redhat.com/errata/RHSA-2025:20962
reference_id RHSA-2025:20962
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:20962
21
reference_url https://access.redhat.com/errata/RHSA-2025:21036
reference_id RHSA-2025:21036
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21036
22
reference_url https://access.redhat.com/errata/RHSA-2025:21696
reference_id RHSA-2025:21696
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:21696
fixed_packages
0
url pkg:gem/rack@2.2.19
purl pkg:gem/rack@2.2.19
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19
1
url pkg:gem/rack@3.1.17
purl pkg:gem/rack@3.1.17
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17
2
url pkg:gem/rack@3.2.2
purl pkg:gem/rack@3.2.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-bj83-rx84-v3g9
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-x373-rhh4-7khm
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2
aliases CVE-2025-61770, GHSA-p543-xpfm-54cp
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa3-1n87-8ucv
Fixing_vulnerabilities
0
url VCID-zqax-g5xz-wuch
vulnerability_id VCID-zqax-g5xz-wuch
summary 
Rack has possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.

Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3

# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.

All users running an affected release should either upgrade or use one of the workarounds immediately.

# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue.
references
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27530.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27530.json
1
reference_url https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://discuss.rubyonrails.org/t/cve-2023-27530-possible-dos-vulnerability-in-multipart-mime-parsing/82388
2
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
3
reference_url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html
4
reference_url https://security.netapp.com/advisory/ntap-20231208-0015
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://security.netapp.com/advisory/ntap-20231208-0015
5
reference_url https://www.debian.org/security/2023/dsa-5530
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://www.debian.org/security/2023/dsa-5530
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032803
reference_id 1032803
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1032803
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2176477
reference_id 2176477
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2176477
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2023-27530
reference_id CVE-2023-27530
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2023-27530
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml
reference_id CVE-2023-27530.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27530.yml
10
reference_url https://github.com/advisories/GHSA-3h57-hmj3-gj3p
reference_id GHSA-3h57-hmj3-gj3p
reference_type
scores
url https://github.com/advisories/GHSA-3h57-hmj3-gj3p
11
reference_url https://access.redhat.com/errata/RHSA-2023:1961
reference_id RHSA-2023:1961
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1961
12
reference_url https://access.redhat.com/errata/RHSA-2023:1981
reference_id RHSA-2023:1981
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:1981
13
reference_url https://access.redhat.com/errata/RHSA-2023:2652
reference_id RHSA-2023:2652
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:2652
14
reference_url https://access.redhat.com/errata/RHSA-2023:3082
reference_id RHSA-2023:3082
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3082
15
reference_url https://access.redhat.com/errata/RHSA-2023:3403
reference_id RHSA-2023:3403
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:3403
16
reference_url https://access.redhat.com/errata/RHSA-2023:6818
reference_id RHSA-2023:6818
reference_type
scores
url https://access.redhat.com/errata/RHSA-2023:6818
fixed_packages
0
url pkg:gem/rack@2.0.9.3
purl pkg:gem/rack@2.0.9.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-amfu-8d25-juhy
4
vulnerability VCID-bj83-rx84-v3g9
5
vulnerability VCID-bqpn-m2fh-9kab
6
vulnerability VCID-dss4-6ptr-83av
7
vulnerability VCID-e11g-k7zm-vkhu
8
vulnerability VCID-heu4-cd3d-73ck
9
vulnerability VCID-k8fr-zuyx-yyhg
10
vulnerability VCID-vk15-7qdb-xkh9
11
vulnerability VCID-x373-rhh4-7khm
12
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.3
1
url pkg:gem/rack@2.1.4.3
purl pkg:gem/rack@2.1.4.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-amfu-8d25-juhy
4
vulnerability VCID-bj83-rx84-v3g9
5
vulnerability VCID-bqpn-m2fh-9kab
6
vulnerability VCID-dss4-6ptr-83av
7
vulnerability VCID-e11g-k7zm-vkhu
8
vulnerability VCID-heu4-cd3d-73ck
9
vulnerability VCID-k8fr-zuyx-yyhg
10
vulnerability VCID-vk15-7qdb-xkh9
11
vulnerability VCID-x373-rhh4-7khm
12
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.3
2
url pkg:gem/rack@2.2.6.3
purl pkg:gem/rack@2.2.6.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-amfu-8d25-juhy
4
vulnerability VCID-bj83-rx84-v3g9
5
vulnerability VCID-bqpn-m2fh-9kab
6
vulnerability VCID-dss4-6ptr-83av
7
vulnerability VCID-e11g-k7zm-vkhu
8
vulnerability VCID-heu4-cd3d-73ck
9
vulnerability VCID-k8fr-zuyx-yyhg
10
vulnerability VCID-vk15-7qdb-xkh9
11
vulnerability VCID-x373-rhh4-7khm
12
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.3
3
url pkg:gem/rack@3.0.4.2
purl pkg:gem/rack@3.0.4.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-52qe-dast-tkhu
2
vulnerability VCID-7cef-z5qm-afd8
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-bqpn-m2fh-9kab
5
vulnerability VCID-dss4-6ptr-83av
6
vulnerability VCID-e11g-k7zm-vkhu
7
vulnerability VCID-heu4-cd3d-73ck
8
vulnerability VCID-k8fr-zuyx-yyhg
9
vulnerability VCID-vk15-7qdb-xkh9
10
vulnerability VCID-x373-rhh4-7khm
11
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.2
aliases CVE-2023-27530, GHSA-3h57-hmj3-gj3p, GMS-2023-663
risk_score 4.0
exploitability 0.5
weighted_severity 8.0
resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-zqax-g5xz-wuch
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.3