Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/67812?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "type": "gem", "namespace": "", "name": "rack", "version": "3.0.0.beta1", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "3.1.20", "latest_non_vulnerable_version": "3.2.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349267?format=api", "vulnerability_id": "VCID-1j61-5e8x-7fbd", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-stream with no total size limit. For file parts, the uploaded body is written directly to a temporary file on disk rather than being constrained by the buffered in-memory upload limit. An unauthenticated attacker can therefore stream an arbitrarily large multipart file upload and consume unbounded disk space. This results in a denial of service condition for Rack applications that accept multipart form data. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34829.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34829", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12659", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1247", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17041", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17088", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17112", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17054", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.16916", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1698", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.1847", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18624", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18643", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18534", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0006", "scoring_system": "epss", "scoring_elements": "0.18514", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34829" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34829" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34829", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34829" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454488", "reference_id": "2454488", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454488" }, { "reference_url": "https://github.com/advisories/GHSA-8vqr-qjwx-82mw", "reference_id": "GHSA-8vqr-qjwx-82mw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8vqr-qjwx-82mw" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw", "reference_id": "GHSA-8vqr-qjwx-82mw", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:27Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-8vqr-qjwx-82mw" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34829", "GHSA-8vqr-qjwx-82mw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-1j61-5e8x-7fbd" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349409?format=api", "vulnerability_id": "VCID-2p73-rc9t-rudb", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length response header using String#size instead of String#bytesize. When the response body contains multibyte UTF-8 characters, the declared Content-Length is smaller than the number of bytes actually sent on the wire. Because Rack::Files reflects the requested path in 404 responses, an attacker can trigger this mismatch by requesting a non-existent path containing percent-encoded UTF-8 characters. This results in incorrect HTTP response framing and may cause response desynchronization in deployments that rely on the incorrect Content-Length value. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34831.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34831", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.07801", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0776", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10738", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1077", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10755", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10699", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10578", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10714", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11277", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11321", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11443", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11388", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11346", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34831" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34831" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:43:52Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-q2ww-5357-x388" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34831", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34831" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454504", "reference_id": "2454504", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454504" }, { "reference_url": "https://github.com/advisories/GHSA-q2ww-5357-x388", "reference_id": "GHSA-q2ww-5357-x388", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q2ww-5357-x388" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34831", "GHSA-q2ww-5357-x388" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2p73-rc9t-rudb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349243?format=api", "vulnerability_id": "VCID-2qba-a6bp-ryak", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34785.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34785", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08839", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08773", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12361", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12399", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12391", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12341", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12223", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12323", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.129", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.12919", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13017", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13038", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13006", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34785" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34785" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34785", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34785" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454486", "reference_id": "2454486", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454486" }, { "reference_url": "https://github.com/advisories/GHSA-h2jq-g4cq-5ppq", "reference_id": "GHSA-h2jq-g4cq-5ppq", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-h2jq-g4cq-5ppq" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq", "reference_id": "GHSA-h2jq-g4cq-5ppq", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:58:57Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34785", "GHSA-h2jq-g4cq-5ppq" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-2qba-a6bp-ryak" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349260?format=api", "vulnerability_id": "VCID-5twm-pqc2-xyfn", "summary": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request parses the Host header using an AUTHORITY regular expression that accepts characters not permitted in RFC-compliant hostnames, including /, ?, #, and @. Because req.host returns the full parsed value, applications that validate hosts using naive prefix or suffix checks can be bypassed. This can lead to host header poisoning in applications that use req.host, req.url, or req.base_url for link generation, redirects, or origin validation. This issue has been patched in versions 3.1.21 and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34835.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34835", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.19887", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00064", "scoring_system": "epss", "scoring_elements": "0.20158", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27794", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28163", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28205", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28213", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28171", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28113", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28125", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28107", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.28063", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.27982", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00103", "scoring_system": "epss", "scoring_elements": "0.2787", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34835" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34835" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34835", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34835" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454482", "reference_id": "2454482", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454482" }, { "reference_url": "https://github.com/advisories/GHSA-g2pf-xv49-m2h5", "reference_id": "GHSA-g2pf-xv49-m2h5", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-g2pf-xv49-m2h5" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5", "reference_id": "GHSA-g2pf-xv49-m2h5", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:43:54Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-g2pf-xv49-m2h5" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34835", "GHSA-g2pf-xv49-m2h5" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-5twm-pqc2-xyfn" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/29240?format=api", "vulnerability_id": "VCID-7p12-ejdu-uqgy", "summary": "Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection\n## Summary\n\n`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.\n\n## Details\n\nThe `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.\n\n## Impact\n\nThis vulnerability can distort log files, obscure attack traces, and complicate security auditing.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Sendfile`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27111", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62462", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62516", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62496", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.6248", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62429", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62431", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00575", "scoring_system": "epss", "scoring_elements": "0.68747", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00604", "scoring_system": "epss", "scoring_elements": "0.6959", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.7132", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.71305", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.71326", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.71369", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74143", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74135", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27111" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53" }, { "reference_url": "https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b" }, { "reference_url": "https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27111", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27111" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546", "reference_id": "1099546", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349810", "reference_id": "2349810", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349810" }, { "reference_url": "https://github.com/advisories/GHSA-8cgq-6mh2-7j6v", "reference_id": "GHSA-8cgq-6mh2-7j6v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8cgq-6mh2-7j6v" }, { "reference_url": "https://usn.ubuntu.com/7366-1/", "reference_id": "USN-7366-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-1/" }, { "reference_url": "https://usn.ubuntu.com/7366-2/", "reference_id": "USN-7366-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70108?format=api", "purl": "pkg:gem/rack@3.0.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/70109?format=api", "purl": "pkg:gem/rack@3.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11" } ], "aliases": [ "CVE-2025-27111", "GHSA-8cgq-6mh2-7j6v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7p12-ejdu-uqgy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/30111?format=api", "vulnerability_id": "VCID-7wvj-9h3p-23am", "summary": "ReDoS Vulnerability in Rack::Multipart handle_mime_head\n### Summary\nThere is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.\n\n### Details\n\nCarefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.\n\n### Credits\n\nThanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49007", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68648", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68643", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68638", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68589", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68611", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.686", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.6856", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.6859", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68528", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68602", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68576", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68558", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.68507", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00569", "scoring_system": "epss", "scoring_elements": "0.6851", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-49007" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/" } ], "url": "https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f" }, { "reference_url": "https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/" } ], "url": "https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49007", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.6", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-49007" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363", "reference_id": "1107363", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370346", "reference_id": "2370346", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2370346" }, { "reference_url": "https://github.com/advisories/GHSA-47m2-26rw-j2jw", "reference_id": "GHSA-47m2-26rw-j2jw", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-47m2-26rw-j2jw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70900?format=api", "purl": "pkg:gem/rack@3.1.16", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.16" } ], "aliases": [ "CVE-2025-49007", "GHSA-47m2-26rw-j2jw" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7wvj-9h3p-23am" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21702?format=api", "vulnerability_id": "VCID-9rpp-9xss-duf6", "summary": "Rack has a Directory Traversal via Rack:Directory\n## Summary\n\n`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.\n\n## Details\n\nIn `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. \n\n## Impact\n\nInformation disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).\n\n## Mitigation\n\n* Update to a patched version of Rack that correctly checks the root prefix.\n* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27495", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27602", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27655", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27694", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.2772", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27712", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27769", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27811", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27805", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27762", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27695", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27862", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.001", "scoring_system": "epss", "scoring_elements": "0.27903", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00105", "scoring_system": "epss", "scoring_elements": "0.28153", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22860" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479", "reference_id": "1128479", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737", "reference_id": "2440737", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737" }, { "reference_url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "GHSA-mxw3-3hh2-x2mh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://usn.ubuntu.com/8066-1/", "reference_id": "USN-8066-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8066-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64152?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/64153?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-22860", "GHSA-mxw3-3hh2-x2mh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-9rpp-9xss-duf6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15612?format=api", "vulnerability_id": "VCID-arac-j5h5-zkcu", "summary": "Rack has possible DoS Vulnerability with Range Header\n# Possible DoS Vulnerability with Range Header in Rack\n\nThere is a possible DoS vulnerability relating to the Range request header in\nRack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.\n\nVersions Affected: >= 1.3.0.\nNot affected: < 1.3.0\nFixed Versions: 3.0.9.1, 2.2.8.1\n\nImpact\n------\nCarefully crafted Range headers can cause a server to respond with an\nunexpectedly large response. Responding with such large responses could lead\nto a denial of service issue.\n\nVulnerable applications will use the `Rack::File` middleware or the\n`Rack::Utils.byte_ranges` methods (this includes Rails applications).\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 3-0-range.patch - Patch for 3.0 series\n* 2-2-range.patch - Patch for 2.2 series\n\nCredits\n-------\n\nThank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and\npatch", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26141.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26141", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59333", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59314", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59336", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59334", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59349", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59316", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.5935", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00378", "scoring_system": "epss", "scoring_elements": "0.59356", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.60593", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.60642", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00399", "scoring_system": "epss", "scoring_elements": "0.60657", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61296", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61363", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0041", "scoring_system": "epss", "scoring_elements": "0.61325", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26141" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146" }, { "reference_url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/" } ], "url": "https://discuss.rubyonrails.org/t/possible-dos-vulnerability-with-range-header-in-rack/84944" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/" } ], "url": "https://github.com/rack/rack/commit/4849132bef471adb21131980df745f4bb84de2d9" }, { "reference_url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/" } ], "url": "https://github.com/rack/rack/commit/62457686b26d33a15a254c7768c2076e8e02b48b" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-xj5v-6v4g-jfw6" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26141.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26141" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516", "reference_id": "1064516", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265594", "reference_id": "2265594", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265594" }, { "reference_url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6", "reference_id": "GHSA-xj5v-6v4g-jfw6", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-xj5v-6v4g-jfw6" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240510-0007/", "reference_id": "ntap-20240510-0007", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-03-05T18:23:59Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240510-0007/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10806", "reference_id": "RHSA-2024:10806", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10806" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:1841", "reference_id": "RHSA-2024:1841", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:1841" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:1846", "reference_id": "RHSA-2024:1846", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:1846" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2007", "reference_id": "RHSA-2024:2007", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2007" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2113", "reference_id": "RHSA-2024:2113", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2113" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2581", "reference_id": "RHSA-2024:2581", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2581" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2584", "reference_id": "RHSA-2024:2584", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2584" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2953", "reference_id": "RHSA-2024:2953", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2953" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3431", "reference_id": "RHSA-2024:3431", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3431" }, { "reference_url": "https://usn.ubuntu.com/6689-1/", "reference_id": "USN-6689-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6689-1/" }, { "reference_url": "https://usn.ubuntu.com/6837-1/", "reference_id": "USN-6837-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6837-1/" }, { "reference_url": "https://usn.ubuntu.com/6837-2/", "reference_id": "USN-6837-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6837-2/" }, { "reference_url": "https://usn.ubuntu.com/7036-1/", "reference_id": "USN-7036-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7036-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53258?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-w732-52bx-2qf8" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-26141", "GHSA-xj5v-6v4g-jfw6" ], "risk_score": 2.6, "exploitability": "0.5", "weighted_severity": "5.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-arac-j5h5-zkcu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21707?format=api", "vulnerability_id": "VCID-azu5-jcmd-3ufx", "summary": "Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61772", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.40983", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41064", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41069", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.4118", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41252", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41281", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41249", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41251", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41283", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41261", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41253", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41203", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41278", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41238", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61772" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627", "reference_id": "1117627", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402200", "reference_id": "2402200", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402200" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772", "reference_id": "CVE-2025-61772", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml", "reference_id": "CVE-2025-61772.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml" }, { "reference_url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64135?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/64137?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61772", "GHSA-wpv5-97wm-hp9c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-azu5-jcmd-3ufx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16109?format=api", "vulnerability_id": "VCID-c21j-snf1-d3cb", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44572.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-44572", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00234", "scoring_system": "epss", "scoring_elements": "0.46307", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00234", "scoring_system": "epss", "scoring_elements": "0.46299", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00234", "scoring_system": "epss", "scoring_elements": "0.46288", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00255", "scoring_system": "epss", "scoring_elements": "0.48764", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00262", "scoring_system": "epss", "scoring_elements": "0.4954", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00262", "scoring_system": "epss", "scoring_elements": "0.49513", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50985", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50991", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50964", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50948", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00275", "scoring_system": "epss", "scoring_elements": "0.50986", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53138", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53192", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00298", "scoring_system": "epss", "scoring_elements": "0.53184", "published_at": "2026-04-09T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-44572" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/releases/tag/v3.0.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack/releases/tag/v3.0.4.1" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44572.yml" }, { "reference_url": "https://hackerone.com/reports/1639882", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://hackerone.com/reports/1639882" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5530", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2023/dsa-5530" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832", "reference_id": "1029832", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164722", "reference_id": "2164722", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164722" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44572", "reference_id": "CVE-2022-44572", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44572" }, { "reference_url": "https://github.com/advisories/GHSA-rqv2-275x-2jq5", "reference_id": "GHSA-rqv2-275x-2jq5", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-rqv2-275x-2jq5" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6818", "reference_id": "RHSA-2023:6818", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6818" }, { "reference_url": "https://usn.ubuntu.com/5910-1/", "reference_id": "USN-5910-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5910-1/" }, { "reference_url": "https://usn.ubuntu.com/7036-1/", "reference_id": "USN-7036-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7036-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55407?format=api", "purl": "pkg:gem/rack@3.0.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-7zgg-tvu3-r7gt" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-fpg2-nhey-rkcc" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-w732-52bx-2qf8" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1" } ], "aliases": [ "CVE-2022-44572", "GHSA-rqv2-275x-2jq5", "GMS-2023-66" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c21j-snf1-d3cb" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21690?format=api", "vulnerability_id": "VCID-c5sc-7qnn-mkb9", "summary": "Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61771", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26816", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2688", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26888", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26937", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26999", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2699", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27047", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27091", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27087", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27042", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26973", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27182", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27146", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61771" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628", "reference_id": "1117628", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402175", "reference_id": "2402175", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402175" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771", "reference_id": "CVE-2025-61771", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml", "reference_id": "CVE-2025-61771.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml" }, { "reference_url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64135?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/64137?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61771", "GHSA-w9pc-fmgc-vxvw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c5sc-7qnn-mkb9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21773?format=api", "vulnerability_id": "VCID-d58r-22kr-9bct", "summary": "Rack has a Possible Information Disclosure Vulnerability\nA possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61780", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10285", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10343", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10351", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10369", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10238", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10267", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10328", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10418", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10462", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10434", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10368", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10294", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10394", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10396", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61780" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784" }, { "reference_url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a" }, { "reference_url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855", "reference_id": "1117855", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403126", "reference_id": "2403126", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403126" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780", "reference_id": "CVE-2025-61780", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml", "reference_id": "CVE-2025-61780.YML", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml" }, { "reference_url": "https://github.com/advisories/GHSA-r657-rxjc-j557", "reference_id": "GHSA-r657-rxjc-j557", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r657-rxjc-j557" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557", "reference_id": "GHSA-r657-rxjc-j557", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64226?format=api", "purl": "pkg:gem/rack@3.1.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/64227?format=api", "purl": "pkg:gem/rack@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3" } ], "aliases": [ "CVE-2025-61780", "GHSA-r657-rxjc-j557" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349408?format=api", "vulnerability_id": "VCID-dh75-6jyw-1ke2", "summary": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name=\"...\" using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted values, this causes super-linear processing. An unauthenticated attacker can send a crafted multipart/form-data request containing many parts with long backslash-escaped parameter values to trigger excessive CPU usage during multipart parsing. This results in a denial of service condition in Rack applications that accept multipart form data. This issue has been patched in versions 3.1.21 and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34827.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34827.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34827", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04384", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00017", "scoring_system": "epss", "scoring_elements": "0.04367", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05595", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05596", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.1247", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12659", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.16916", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17112", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17088", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17041", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.1698", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.16918", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00054", "scoring_system": "epss", "scoring_elements": "0.17054", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34827" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34827", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34827" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:04Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-v6x5-cg8r-vv6x" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34827", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34827" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454501", "reference_id": "2454501", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454501" }, { "reference_url": "https://github.com/advisories/GHSA-v6x5-cg8r-vv6x", "reference_id": "GHSA-v6x5-cg8r-vv6x", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v6x5-cg8r-vv6x" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34827", "GHSA-v6x5-cg8r-vv6x" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dh75-6jyw-1ke2" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/15123?format=api", "vulnerability_id": "VCID-gtzk-m9rm-57hw", "summary": "Rack Header Parsing leads to Possible Denial of Service Vulnerability\n# Possible Denial of Service Vulnerability in Rack Header Parsing\n\nThere is a possible denial of service vulnerability in the header parsing\nroutines in Rack. This vulnerability has been assigned the CVE identifier\nCVE-2024-26146.\n\nVersions Affected: All.\nNot affected: None\nFixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1\n\nImpact\n------\nCarefully crafted headers can cause header parsing in Rack to take longer than\nexpected resulting in a possible denial of service issue. Accept and Forwarded\nheaders are impacted.\n\nRuby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2\nor newer are unaffected.\n\nReleases\n--------\nThe fixed releases are available at the normal locations.\n\nWorkarounds\n-----------\nThere are no feasible workarounds for this issue.\n\nPatches\n-------\nTo aid users who aren't able to upgrade immediately we have provided patches for\nthe two supported release series. They are in git-am format and consist of a\nsingle changeset.\n\n* 2-0-header-redos.patch - Patch for 2.0 series\n* 2-1-header-redos.patch - Patch for 2.1 series\n* 2-2-header-redos.patch - Patch for 2.2 series\n* 3-0-header-redos.patch - Patch for 3.0 series\n\nCredits\n-------\n\nThanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and\nproviding patches!", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26146", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00644", "scoring_system": "epss", "scoring_elements": "0.70676", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71937", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00699", "scoring_system": "epss", "scoring_elements": "0.71956", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.72332", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.7241", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.72401", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.72371", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.72361", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.7232", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00714", "scoring_system": "epss", "scoring_elements": "0.72348", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00775", "scoring_system": "epss", "scoring_elements": "0.73588", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00775", "scoring_system": "epss", "scoring_elements": "0.73601", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00775", "scoring_system": "epss", "scoring_elements": "0.73552", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00775", "scoring_system": "epss", "scoring_elements": "0.73684", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2024-26146" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-25126" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26141" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-26146" }, { "reference_url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716" }, { "reference_url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582" }, { "reference_url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f" }, { "reference_url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-26146" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516", "reference_id": "1064516", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265595", "reference_id": "2265595", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2265595" }, { "reference_url": "https://github.com/advisories/GHSA-54rr-7fvw-6x8f", "reference_id": "GHSA-54rr-7fvw-6x8f", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-54rr-7fvw-6x8f" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20240510-0006/", "reference_id": "ntap-20240510-0006", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20240510-0006/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:10806", "reference_id": "RHSA-2024:10806", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:10806" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:1841", "reference_id": "RHSA-2024:1841", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:1841" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:1846", "reference_id": "RHSA-2024:1846", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:1846" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2007", "reference_id": "RHSA-2024:2007", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2007" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2113", "reference_id": "RHSA-2024:2113", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2113" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2581", "reference_id": "RHSA-2024:2581", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2581" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2584", "reference_id": "RHSA-2024:2584", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2584" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:2953", "reference_id": "RHSA-2024:2953", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:2953" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2024:3431", "reference_id": "RHSA-2024:3431", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2024:3431" }, { "reference_url": "https://usn.ubuntu.com/6689-1/", "reference_id": "USN-6689-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6689-1/" }, { "reference_url": "https://usn.ubuntu.com/6837-1/", "reference_id": "USN-6837-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6837-1/" }, { "reference_url": "https://usn.ubuntu.com/6837-2/", "reference_id": "USN-6837-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6837-2/" }, { "reference_url": "https://usn.ubuntu.com/7036-1/", "reference_id": "USN-7036-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7036-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/53258?format=api", "purl": "pkg:gem/rack@3.0.9.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-w732-52bx-2qf8" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1" } ], "aliases": [ "CVE-2024-26146", "GHSA-54rr-7fvw-6x8f" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gtzk-m9rm-57hw" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349270?format=api", "vulnerability_id": "VCID-j34j-bgfd-8fez", "summary": "Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.forwarded_values parses the RFC 7239 Forwarded header by splitting on semicolons before handling quoted-string values. Because quoted values may legally contain semicolons, a header can be interpreted by Rack as multiple Forwarded directives rather than as a single quoted for value. In deployments where an upstream proxy, WAF, or intermediary validates or preserves quoted Forwarded values differently, this discrepancy can allow an attacker to smuggle host, proto, for, or by parameters through a single header value. This issue has been patched in versions 3.1.21 and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-32762.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32762", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.07801", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0776", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10714", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10738", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1077", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10755", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10699", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10592", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10578", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13418", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13544", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13555", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00044", "scoring_system": "epss", "scoring_elements": "0.13527", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-32762" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-32762" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32762", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32762" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454489", "reference_id": "2454489", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454489" }, { "reference_url": "https://github.com/advisories/GHSA-qfgr-crr9-7r49", "reference_id": "GHSA-qfgr-crr9-7r49", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qfgr-crr9-7r49" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49", "reference_id": "GHSA-qfgr-crr9-7r49", "reference_type": "", "scores": [ { "value": "4.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:42:32Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-qfgr-crr9-7r49" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-32762", "GHSA-qfgr-crr9-7r49" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-j34j-bgfd-8fez" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349256?format=api", "vulnerability_id": "VCID-jg77-mm5c-gydu", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34763.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34763", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.07801", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00028", "scoring_system": "epss", "scoring_elements": "0.0776", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10738", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.1077", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10755", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10699", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10578", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00036", "scoring_system": "epss", "scoring_elements": "0.10714", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11277", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11321", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11443", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11388", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11346", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34763" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34763" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34763", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34763" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454498", "reference_id": "2454498", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454498" }, { "reference_url": "https://github.com/advisories/GHSA-7mqq-6cf9-v2qp", "reference_id": "GHSA-7mqq-6cf9-v2qp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7mqq-6cf9-v2qp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp", "reference_id": "GHSA-7mqq-6cf9-v2qp", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T17:41:04Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34763", "GHSA-7mqq-6cf9-v2qp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-jg77-mm5c-gydu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349406?format=api", "vulnerability_id": "VCID-m98a-mcyb-c7fm", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates several header_rules types against the raw URL-encoded PATH_INFO, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that header_rules were intended to apply. In deployments that rely on Rack::Static to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34786.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34786", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08219", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08165", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11407", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.1144", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11434", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11376", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11236", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11377", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.11977", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12015", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12129", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.1211", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12077", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34786" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34786" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:37:20Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34786", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34786" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454507", "reference_id": "2454507", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454507" }, { "reference_url": "https://github.com/advisories/GHSA-q4qf-9j86-f5mh", "reference_id": "GHSA-q4qf-9j86-f5mh", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-q4qf-9j86-f5mh" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34786", "GHSA-q4qf-9j86-f5mh" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-m98a-mcyb-c7fm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349407?format=api", "vulnerability_id": "VCID-metf-cghw-p3b5", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attacker can supply many small overlapping ranges such as 0-0,0-0,0-0,... to trigger disproportionate CPU, memory, I/O, and bandwidth consumption per request. This results in a denial of service condition in Rack file-serving paths that process multipart byte range responses. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34826.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34826", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05145", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05146", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05104", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00019", "scoring_system": "epss", "scoring_elements": "0.05072", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11569", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11785", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15709", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15857", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.1592", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15894", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15856", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15787", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00058", "scoring_system": "epss", "scoring_elements": "0.18187", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34826" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34826" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:42:34Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-x8cg-fq8g-mxfx" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34826", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34826" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454508", "reference_id": "2454508", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454508" }, { "reference_url": "https://github.com/advisories/GHSA-x8cg-fq8g-mxfx", "reference_id": "GHSA-x8cg-fq8g-mxfx", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-x8cg-fq8g-mxfx" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34826", "GHSA-x8cg-fq8g-mxfx" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-metf-cghw-p3b5" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21709?format=api", "vulnerability_id": "VCID-npag-sz7d-v7b6", "summary": "Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3632", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36408", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36438", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36663", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36723", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3674", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36812", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36721", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36756", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36747", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3673", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3668", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36844", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36695", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61770" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627", "reference_id": "1117627", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402174", "reference_id": "2402174", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402174" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770", "reference_id": "CVE-2025-61770", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml", "reference_id": "CVE-2025-61770.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml" }, { "reference_url": "https://github.com/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64135?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/64137?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61770", "GHSA-p543-xpfm-54cp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-npag-sz7d-v7b6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349405?format=api", "vulnerability_id": "VCID-p3dk-p1gb-kkem", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send a single request with a crafted Accept-Encoding header and cause disproportionate CPU consumption on the compression middleware path. This results in a denial of service condition for applications using Rack::Deflater. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34230.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34230", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05617", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05616", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.0558", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.0002", "scoring_system": "epss", "scoring_elements": "0.05546", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.11666", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00039", "scoring_system": "epss", "scoring_elements": "0.1188", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15979", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16042", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.16019", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15981", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15912", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00051", "scoring_system": "epss", "scoring_elements": "0.15838", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00063", "scoring_system": "epss", "scoring_elements": "0.19615", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34230" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34230" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:56:03Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-v569-hp3g-36wr" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34230", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34230" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454493", "reference_id": "2454493", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454493" }, { "reference_url": "https://github.com/advisories/GHSA-v569-hp3g-36wr", "reference_id": "GHSA-v569-hp3g-36wr", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-v569-hp3g-36wr" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34230", "GHSA-v569-hp3g-36wr" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-p3dk-p1gb-kkem" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349228?format=api", "vulnerability_id": "VCID-pbu7-4hdm-s3a6", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-34830.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34830", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08839", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00031", "scoring_system": "epss", "scoring_elements": "0.08773", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12361", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12399", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12391", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12341", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12223", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00041", "scoring_system": "epss", "scoring_elements": "0.12323", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.129", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.12919", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13017", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13038", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00043", "scoring_system": "epss", "scoring_elements": "0.13006", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-34830" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-34830" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34830", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34830" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454510", "reference_id": "2454510", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454510" }, { "reference_url": "https://github.com/advisories/GHSA-qv7j-4883-hwh7", "reference_id": "GHSA-qv7j-4883-hwh7", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-qv7j-4883-hwh7" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7", "reference_id": "GHSA-qv7j-4883-hwh7", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-02T18:59:36Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-qv7j-4883-hwh7" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-34830", "GHSA-qv7j-4883-hwh7" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-pbu7-4hdm-s3a6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21764?format=api", "vulnerability_id": "VCID-s971-gkdg-jkhc", "summary": "Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing\n`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61919", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44561", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44639", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44632", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44713", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44784", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44791", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44736", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44735", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44767", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.4475", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44748", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44695", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44756", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44737", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61919" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881" }, { "reference_url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db" }, { "reference_url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856", "reference_id": "1117856", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403180", "reference_id": "2403180", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403180" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919", "reference_id": "CVE-2025-61919", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml", "reference_id": "CVE-2025-61919.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml" }, { "reference_url": "https://github.com/advisories/GHSA-6xw4-3v39-52mm", "reference_id": "GHSA-6xw4-3v39-52mm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xw4-3v39-52mm" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm", "reference_id": "GHSA-6xw4-3v39-52mm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19832", "reference_id": "RHSA-2025:19832", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19832" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19855", "reference_id": "RHSA-2025:19855", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19855" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19856", "reference_id": "RHSA-2025:19856", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19856" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64226?format=api", "purl": "pkg:gem/rack@3.1.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/64227?format=api", "purl": "pkg:gem/rack@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3" } ], "aliases": [ "CVE-2025-61919", "GHSA-6xw4-3v39-52mm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21804?format=api", "vulnerability_id": "VCID-skxv-7he3-xqgc", "summary": "Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href\n## Summary\n\n`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.\n\nThis results in a client-side XSS condition in directory listings generated by `Rack::Directory`.\n\n## Details\n\n`Rack::Directory` renders directory entries using an HTML row template similar to:\n\n```html\n<a href='%s'>%s</a>\n```\n\nThe `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:\n\n```html\n<a href='javascript:alert(1)'>javascript:alert(1)</a>\n```\n\nBecause the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.\n\n## Impact\n\nIf `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.\n\nWhen a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).\n\n## Mitigation\n\n* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).\n* Avoid exposing user-controlled directories via `Rack::Directory`.\n* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.\n* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.\n\nHackerOne profile:\nhttps://hackerone.com/thesmartshadow\n\nGitHub account owner:\nAli Firas (@thesmartshadow)", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.0597", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05935", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05903", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05759", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05751", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05787", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05793", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05801", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05822", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05797", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05758", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05724", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00021", "scoring_system": "epss", "scoring_elements": "0.05764", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.06915", "published_at": "2026-04-29T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25500" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480", "reference_id": "1128480", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738", "reference_id": "2440738", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738" }, { "reference_url": "https://github.com/advisories/GHSA-whrj-4476-wvmp", "reference_id": "GHSA-whrj-4476-wvmp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://usn.ubuntu.com/8066-1/", "reference_id": "USN-8066-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8066-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64152?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/64153?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-25500", "GHSA-whrj-4476-wvmp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-skxv-7he3-xqgc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16099?format=api", "vulnerability_id": "VCID-vkrw-y1j6-6fe7", "summary": "Duplicate\nThis advisory duplicates another.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-44571.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2022-44571", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.02882", "scoring_system": "epss", "scoring_elements": "0.86342", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.02882", "scoring_system": "epss", "scoring_elements": "0.86333", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.02882", "scoring_system": "epss", "scoring_elements": "0.86313", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.03121", "scoring_system": "epss", "scoring_elements": "0.86889", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.03289", "scoring_system": "epss", "scoring_elements": "0.87172", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.03289", "scoring_system": "epss", "scoring_elements": "0.87155", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87801", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87822", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87829", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87841", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87835", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87833", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87847", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.03631", "scoring_system": "epss", "scoring_elements": "0.87846", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2022-44571" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539" }, { "reference_url": "https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://discuss.rubyonrails.org/t/cve-2022-44571-possible-denial-of-service-vulnerability-in-rack-content-disposition-parsing/82126" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.9", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/releases/tag/v3.0.4.1", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack/releases/tag/v3.0.4.1" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2022-44571.yml" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5530", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://www.debian.org/security/2023/dsa-5530" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832", "reference_id": "1029832", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1029832" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164714", "reference_id": "2164714", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2164714" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44571", "reference_id": "CVE-2022-44571", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-44571" }, { "reference_url": "https://github.com/advisories/GHSA-93pm-5p5f-3ghx", "reference_id": "GHSA-93pm-5p5f-3ghx", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-93pm-5p5f-3ghx" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6818", "reference_id": "RHSA-2023:6818", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6818" }, { "reference_url": "https://usn.ubuntu.com/5910-1/", "reference_id": "USN-5910-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/5910-1/" }, { "reference_url": "https://usn.ubuntu.com/7036-1/", "reference_id": "USN-7036-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7036-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/55407?format=api", "purl": "pkg:gem/rack@3.0.4.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-7zgg-tvu3-r7gt" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-fpg2-nhey-rkcc" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-w732-52bx-2qf8" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1" } ], "aliases": [ "CVE-2022-44571", "GHSA-93pm-5p5f-3ghx", "GMS-2023-65" ], "risk_score": 3.4, "exploitability": "0.5", "weighted_severity": "6.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-vkrw-y1j6-6fe7" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/349404?format=api", "vulnerability_id": "VCID-wvs1-dhwp-ebat", "summary": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the boundary parameter from multipart/form-data using a greedy regular expression. When a Content-Type header contains multiple boundary parameters, Rack selects the last one rather than the first. In deployments where an upstream proxy, WAF, or intermediary interprets the first boundary parameter, this mismatch can allow an attacker to smuggle multipart content past upstream inspection and have Rack parse a different body structure than the intermediary validated. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-26961.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26961", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.0217", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02146", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02155", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00013", "scoring_system": "epss", "scoring_elements": "0.02185", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08165", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00029", "scoring_system": "epss", "scoring_elements": "0.08219", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11376", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11434", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.1144", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11407", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11377", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00038", "scoring_system": "epss", "scoring_elements": "0.11236", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.0004", "scoring_system": "epss", "scoring_elements": "0.12015", "published_at": "2026-04-18T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-26961" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-26961" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-03T17:57:50Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-vgpv-f759-9wx3" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26961", "reference_id": "", "reference_type": "", "scores": [ { "value": "3.7", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26961" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454483", "reference_id": "2454483", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2454483" }, { "reference_url": "https://github.com/advisories/GHSA-vgpv-f759-9wx3", "reference_id": "GHSA-vgpv-f759-9wx3", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-vgpv-f759-9wx3" }, { "reference_url": "https://usn.ubuntu.com/8182-1/", "reference_id": "USN-8182-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8182-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/994090?format=api", "purl": "pkg:gem/rack@3.1.21", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.21" }, { "url": "http://public2.vulnerablecode.io/api/packages/994091?format=api", "purl": "pkg:gem/rack@3.2.6", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.6" } ], "aliases": [ "CVE-2026-26961", "GHSA-vgpv-f759-9wx3" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wvs1-dhwp-ebat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/16800?format=api", "vulnerability_id": "VCID-xkah-9nv9-wufd", "summary": "Possible Denial of Service Vulnerability in Rack’s header parsing\nThere is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-27539.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27539", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.55793", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00328", "scoring_system": "epss", "scoring_elements": "0.55815", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56377", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56407", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56406", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56374", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56392", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56416", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56326", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00335", "scoring_system": "epss", "scoring_elements": "0.56306", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58428", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58445", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58487", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00364", "scoring_system": "epss", "scoring_elements": "0.58481", "published_at": "2026-04-08T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2023-27539" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30122" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-30123" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44570" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44571" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-44572" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27530" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27539" }, { "reference_url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://discuss.rubyonrails.org/t/cve-2023-27539-possible-denial-of-service-vulnerability-in-racks-header-parsing/82466" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://github.com/rack/rack/commit/231ef369ad0b542575fb36c74fcfcfabcf6c530c" }, { "reference_url": "https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://github.com/rack/rack/commit/ee7919ea04303717858be1c3f16b406adc6d8cff" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://lists.debian.org/debian-lts-announce/2023/04/msg00017.html" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20231208-0016", "reference_id": "", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://security.netapp.com/advisory/ntap-20231208-0016" }, { "reference_url": "https://www.debian.org/security/2023/dsa-5530", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://www.debian.org/security/2023/dsa-5530" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264", "reference_id": "1033264", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1033264" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179649", "reference_id": "2179649", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2179649" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27539", "reference_id": "CVE-2023-27539", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-27539" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml", "reference_id": "CVE-2023-27539.YML", "reference_type": "", "scores": [ { "value": "LOW", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2023-27539.yml" }, { "reference_url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp", "reference_id": "GHSA-c6qg-cjj8-47qp", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "LOW", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://github.com/advisories/GHSA-c6qg-cjj8-47qp" }, { "reference_url": "https://security.netapp.com/advisory/ntap-20231208-0016/", "reference_id": "ntap-20231208-0016", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-01-09T21:22:46Z/" } ], "url": "https://security.netapp.com/advisory/ntap-20231208-0016/" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1953", "reference_id": "RHSA-2023:1953", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1953" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1961", "reference_id": "RHSA-2023:1961", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1961" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:1981", "reference_id": "RHSA-2023:1981", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:1981" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:2652", "reference_id": "RHSA-2023:2652", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:2652" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3082", "reference_id": "RHSA-2023:3082", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3082" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3403", "reference_id": "RHSA-2023:3403", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3403" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:3495", "reference_id": "RHSA-2023:3495", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:3495" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2023:6818", "reference_id": "RHSA-2023:6818", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2023:6818" }, { "reference_url": "https://usn.ubuntu.com/6689-1/", "reference_id": "USN-6689-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6689-1/" }, { "reference_url": "https://usn.ubuntu.com/6905-1/", "reference_id": "USN-6905-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/6905-1/" }, { "reference_url": "https://usn.ubuntu.com/7036-1/", "reference_id": "USN-7036-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7036-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/56442?format=api", "purl": "pkg:gem/rack@3.0.6.1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-7zgg-tvu3-r7gt" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-w732-52bx-2qf8" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1" } ], "aliases": [ "CVE-2023-27539", "GHSA-c6qg-cjj8-47qp", "GMS-2023-769" ], "risk_score": 2.4, "exploitability": "0.5", "weighted_severity": "4.8", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xkah-9nv9-wufd" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/29240?format=api", "vulnerability_id": "VCID-7p12-ejdu-uqgy", "summary": "Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection\n## Summary\n\n`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.\n\n## Details\n\nThe `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.\n\n## Impact\n\nThis vulnerability can distort log files, obscure attack traces, and complicate security auditing.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Sendfile`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27111", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62462", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62516", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62496", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.6248", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62429", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00429", "scoring_system": "epss", "scoring_elements": "0.62431", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00575", "scoring_system": "epss", "scoring_elements": "0.68747", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00604", "scoring_system": "epss", "scoring_elements": "0.6959", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.7132", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.71305", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.71326", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00668", "scoring_system": "epss", "scoring_elements": "0.71369", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74143", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.008", "scoring_system": "epss", "scoring_elements": "0.74135", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27111" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27111" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53" }, { "reference_url": "https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b" }, { "reference_url": "https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v", "reference_id": "", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27111", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.9", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27111" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546", "reference_id": "1099546", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349810", "reference_id": "2349810", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349810" }, { "reference_url": "https://github.com/advisories/GHSA-8cgq-6mh2-7j6v", "reference_id": "GHSA-8cgq-6mh2-7j6v", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-8cgq-6mh2-7j6v" }, { "reference_url": "https://usn.ubuntu.com/7366-1/", "reference_id": "USN-7366-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-1/" }, { "reference_url": "https://usn.ubuntu.com/7366-2/", "reference_id": "USN-7366-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70107?format=api", "purl": "pkg:gem/rack@2.2.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-gdhf-e8q1-kbat" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" }, { "vulnerability": "VCID-xazq-qrm1-9ff6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/70108?format=api", "purl": "pkg:gem/rack@3.0.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/70109?format=api", "purl": "pkg:gem/rack@3.1.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11" } ], "aliases": [ "CVE-2025-27111", "GHSA-8cgq-6mh2-7j6v" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-7p12-ejdu-uqgy" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21707?format=api", "vulnerability_id": "VCID-azu5-jcmd-3ufx", "summary": "Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61772", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.40983", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41064", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41069", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.4118", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41252", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41281", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41249", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41251", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41283", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41261", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41253", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41203", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41278", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00193", "scoring_system": "epss", "scoring_elements": "0.41238", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61772" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627", "reference_id": "1117627", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402200", "reference_id": "2402200", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402200" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772", "reference_id": "CVE-2025-61772", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml", "reference_id": "CVE-2025-61772.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml" }, { "reference_url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64134?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64135?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/64137?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61772", "GHSA-wpv5-97wm-hp9c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-azu5-jcmd-3ufx" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21690?format=api", "vulnerability_id": "VCID-c5sc-7qnn-mkb9", "summary": "Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61771", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26816", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2688", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26888", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26937", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26999", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.2699", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27047", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27091", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27087", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27042", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.26973", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27182", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00098", "scoring_system": "epss", "scoring_elements": "0.27146", "published_at": "2026-04-02T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61771" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628", "reference_id": "1117628", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402175", "reference_id": "2402175", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402175" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771", "reference_id": "CVE-2025-61771", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml", "reference_id": "CVE-2025-61771.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml" }, { "reference_url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64134?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64135?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/64137?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61771", "GHSA-w9pc-fmgc-vxvw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-c5sc-7qnn-mkb9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21773?format=api", "vulnerability_id": "VCID-d58r-22kr-9bct", "summary": "Rack has a Possible Information Disclosure Vulnerability\nA possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61780", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10285", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10343", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10351", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10369", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10238", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10267", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10328", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10418", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10462", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10434", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10368", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10294", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10394", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00035", "scoring_system": "epss", "scoring_elements": "0.10396", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61780" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784" }, { "reference_url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a" }, { "reference_url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855", "reference_id": "1117855", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403126", "reference_id": "2403126", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403126" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780", "reference_id": "CVE-2025-61780", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml", "reference_id": "CVE-2025-61780.YML", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml" }, { "reference_url": "https://github.com/advisories/GHSA-r657-rxjc-j557", "reference_id": "GHSA-r657-rxjc-j557", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r657-rxjc-j557" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557", "reference_id": "GHSA-r657-rxjc-j557", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64225?format=api", "purl": "pkg:gem/rack@2.2.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64226?format=api", "purl": "pkg:gem/rack@3.1.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/64227?format=api", "purl": "pkg:gem/rack@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3" } ], "aliases": [ "CVE-2025-61780", "GHSA-r657-rxjc-j557" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21554?format=api", "vulnerability_id": "VCID-gdhf-e8q1-kbat", "summary": "Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters\n`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59830", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21206", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21196", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21203", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21256", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21297", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21287", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21225", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21145", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21337", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00069", "scoring_system": "epss", "scoring_elements": "0.21392", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22201", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22371", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22221", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00074", "scoring_system": "epss", "scoring_elements": "0.22207", "published_at": "2026-04-26T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59830" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/" } ], "url": "https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431", "reference_id": "1116431", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2398167", "reference_id": "2398167", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2398167" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59830", "reference_id": "CVE-2025-59830", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59830" }, { "reference_url": "https://github.com/advisories/GHSA-625h-95r8-8xpm", "reference_id": "GHSA-625h-95r8-8xpm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-625h-95r8-8xpm" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm", "reference_id": "GHSA-625h-95r8-8xpm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19832", "reference_id": "RHSA-2025:19832", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19832" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19855", "reference_id": "RHSA-2025:19855", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19855" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19856", "reference_id": "RHSA-2025:19856", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19856" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://usn.ubuntu.com/7784-1/", "reference_id": "USN-7784-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7784-1/" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/63988?format=api", "purl": "pkg:gem/rack@2.2.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" } ], "aliases": [ "CVE-2025-59830", "GHSA-625h-95r8-8xpm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-gdhf-e8q1-kbat" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21709?format=api", "vulnerability_id": "VCID-npag-sz7d-v7b6", "summary": "Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3632", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36408", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36438", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36663", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36723", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3674", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36812", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36721", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36756", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36747", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3673", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.3668", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36844", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00158", "scoring_system": "epss", "scoring_elements": "0.36695", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61770" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627", "reference_id": "1117627", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402174", "reference_id": "2402174", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402174" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770", "reference_id": "CVE-2025-61770", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml", "reference_id": "CVE-2025-61770.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml" }, { "reference_url": "https://github.com/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64134?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64135?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/64137?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61770", "GHSA-p543-xpfm-54cp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-npag-sz7d-v7b6" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/21764?format=api", "vulnerability_id": "VCID-s971-gkdg-jkhc", "summary": "Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing\n`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61919", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44561", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44639", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44632", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44713", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44784", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44791", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44736", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44735", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44767", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.4475", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44748", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44695", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44756", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00221", "scoring_system": "epss", "scoring_elements": "0.44737", "published_at": "2026-04-13T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61919" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881" }, { "reference_url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db" }, { "reference_url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856", "reference_id": "1117856", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403180", "reference_id": "2403180", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403180" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919", "reference_id": "CVE-2025-61919", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml", "reference_id": "CVE-2025-61919.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml" }, { "reference_url": "https://github.com/advisories/GHSA-6xw4-3v39-52mm", "reference_id": "GHSA-6xw4-3v39-52mm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xw4-3v39-52mm" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm", "reference_id": "GHSA-6xw4-3v39-52mm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19832", "reference_id": "RHSA-2025:19832", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19832" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19855", "reference_id": "RHSA-2025:19855", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19855" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19856", "reference_id": "RHSA-2025:19856", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19856" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/64225?format=api", "purl": "pkg:gem/rack@2.2.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/64226?format=api", "purl": "pkg:gem/rack@3.1.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/64227?format=api", "purl": "pkg:gem/rack@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3" } ], "aliases": [ "CVE-2025-61919", "GHSA-6xw4-3v39-52mm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/26273?format=api", "vulnerability_id": "VCID-w732-52bx-2qf8", "summary": "Possible Log Injection in Rack::CommonLogger\n## Summary\n\n`Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.\n\n## Details\n\nWhen a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes.\n\nThe issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.\n\n## Impact\n\nAttackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.\n\n## Mitigation\n\n- Update to the latest version of Rack.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25184.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-25184.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25184", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00957", "scoring_system": "epss", "scoring_elements": "0.7651", "published_at": "2026-04-24T12:55:00Z" }, { "value": "0.00957", "scoring_system": "epss", "scoring_elements": "0.76516", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77454", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77455", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77416", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.7742", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.7744", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77501", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77446", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77414", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77405", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.01039", "scoring_system": "epss", "scoring_elements": "0.77375", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.01068", "scoring_system": "epss", "scoring_elements": "0.77658", "published_at": "2026-04-02T12:55:00Z" }, { "value": "0.01068", "scoring_system": "epss", "scoring_elements": "0.77685", "published_at": "2026-04-04T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-25184" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25184", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-25184" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "4.3", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/" } ], "url": "https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25184", "reference_id": "", "reference_type": "", "scores": [ { "value": "6.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" }, { "value": "5.7", "scoring_system": "cvssv4", "scoring_elements": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25184" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257", "reference_id": "1098257", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1098257" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345301", "reference_id": "2345301", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2345301" }, { "reference_url": "https://github.com/advisories/GHSA-7g2v-jj9q-g3rg", "reference_id": "GHSA-7g2v-jj9q-g3rg", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7g2v-jj9q-g3rg" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:1985", "reference_id": "RHSA-2025:1985", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:1985" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:7085", "reference_id": "RHSA-2025:7085", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:7085" }, { "reference_url": "https://usn.ubuntu.com/7366-1/", "reference_id": "USN-7366-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-1/" }, { "reference_url": "https://usn.ubuntu.com/7366-2/", "reference_id": "USN-7366-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/69400?format=api", "purl": "pkg:gem/rack@2.2.11", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-gdhf-e8q1-kbat" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" }, { "vulnerability": "VCID-xazq-qrm1-9ff6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.11" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/69401?format=api", "purl": "pkg:gem/rack@3.0.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.12" }, { "url": "http://public2.vulnerablecode.io/api/packages/69402?format=api", "purl": "pkg:gem/rack@3.1.10", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-wt7k-s1yd-nke6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.10" } ], "aliases": [ "CVE-2025-25184", "GHSA-7g2v-jj9q-g3rg" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-w732-52bx-2qf8" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/29211?format=api", "vulnerability_id": "VCID-wt7k-s1yd-nke6", "summary": "Local File Inclusion in Rack::Static\n## Summary\n\n`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.\n\n## Details\n\nThe vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.\n\n## Impact\n\nBy exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.\n\n## Mitigation\n\n- Update to the latest version of Rack, or\n- Remove usage of `Rack::Static`, or\n- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.\n\nIt is likely that a CDN or similar static file server would also mitigate the issue.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27610", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61611", "published_at": "2026-04-07T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61706", "published_at": "2026-04-16T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61664", "published_at": "2026-04-13T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61684", "published_at": "2026-04-12T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61695", "published_at": "2026-04-11T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61674", "published_at": "2026-04-09T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.61659", "published_at": "2026-04-08T12:55:00Z" }, { "value": "0.00415", "scoring_system": "epss", "scoring_elements": "0.6164", "published_at": "2026-04-04T12:55:00Z" }, { "value": "0.00518", "scoring_system": "epss", "scoring_elements": "0.6681", "published_at": "2026-04-18T12:55:00Z" }, { "value": "0.01301", "scoring_system": "epss", "scoring_elements": "0.79811", "published_at": "2026-04-29T12:55:00Z" }, { "value": "0.01416", "scoring_system": "epss", "scoring_elements": "0.80591", "published_at": "2026-04-21T12:55:00Z" }, { "value": "0.01557", "scoring_system": "epss", "scoring_elements": "0.81526", "published_at": "2026-04-26T12:55:00Z" }, { "value": "0.01694", "scoring_system": "epss", "scoring_elements": "0.8232", "published_at": "2026-04-24T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-27610" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27610", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27610" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:22:45Z/" } ], "url": "https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-11T15:22:45Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml" }, { "reference_url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27610", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27610" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444", "reference_id": "1100444", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351231", "reference_id": "2351231", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2351231" }, { "reference_url": "https://github.com/advisories/GHSA-7wqh-767x-r66v", "reference_id": "GHSA-7wqh-767x-r66v", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-7wqh-767x-r66v" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3448", "reference_id": "RHSA-2025:3448", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3448" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3490", "reference_id": "RHSA-2025:3490", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3490" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3491", "reference_id": "RHSA-2025:3491", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3491" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3492", "reference_id": "RHSA-2025:3492", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3492" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:3906", "reference_id": "RHSA-2025:3906", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:3906" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:4576", "reference_id": "RHSA-2025:4576", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:4576" }, { "reference_url": "https://usn.ubuntu.com/7366-1/", "reference_id": "USN-7366-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-1/" }, { "reference_url": "https://usn.ubuntu.com/7366-2/", "reference_id": "USN-7366-2", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7366-2/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70075?format=api", "purl": "pkg:gem/rack@2.2.13", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-gdhf-e8q1-kbat" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-xazq-qrm1-9ff6" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.13" }, { "url": "http://public2.vulnerablecode.io/api/packages/67812?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-1j61-5e8x-7fbd" }, { "vulnerability": "VCID-2p73-rc9t-rudb" }, { "vulnerability": "VCID-2qba-a6bp-ryak" }, { "vulnerability": "VCID-5twm-pqc2-xyfn" }, { "vulnerability": "VCID-7p12-ejdu-uqgy" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-arac-j5h5-zkcu" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c21j-snf1-d3cb" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-dh75-6jyw-1ke2" }, { "vulnerability": "VCID-gtzk-m9rm-57hw" }, { "vulnerability": "VCID-j34j-bgfd-8fez" }, { "vulnerability": "VCID-jg77-mm5c-gydu" }, { "vulnerability": "VCID-m98a-mcyb-c7fm" }, { "vulnerability": "VCID-metf-cghw-p3b5" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-p3dk-p1gb-kkem" }, { "vulnerability": "VCID-pbu7-4hdm-s3a6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" }, { "vulnerability": "VCID-vkrw-y1j6-6fe7" }, { "vulnerability": "VCID-wvs1-dhwp-ebat" }, { "vulnerability": "VCID-xkah-9nv9-wufd" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }, { "url": "http://public2.vulnerablecode.io/api/packages/70076?format=api", "purl": "pkg:gem/rack@3.0.14", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.14" }, { "url": "http://public2.vulnerablecode.io/api/packages/70077?format=api", "purl": "pkg:gem/rack@3.1.12", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-47ja-djzb-2bbw" }, { "vulnerability": "VCID-7wvj-9h3p-23am" }, { "vulnerability": "VCID-9rpp-9xss-duf6" }, { "vulnerability": "VCID-azu5-jcmd-3ufx" }, { "vulnerability": "VCID-c5sc-7qnn-mkb9" }, { "vulnerability": "VCID-d58r-22kr-9bct" }, { "vulnerability": "VCID-npag-sz7d-v7b6" }, { "vulnerability": "VCID-s971-gkdg-jkhc" }, { "vulnerability": "VCID-skxv-7he3-xqgc" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.12" } ], "aliases": [ "CVE-2025-27610", "GHSA-7wqh-767x-r66v" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-wt7k-s1yd-nke6" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" }