Django REST framework

Lookup for vulnerable packages by Package URL.

Purl pkg:gem/rack@2.0.9.4

Type gem

Namespace

Name rack

Version 2.0.9.4

Qualifiers

Subpath

Is_vulnerable true

Next_non_vulnerable_version 2.2.23

Latest_non_vulnerable_version 3.2.6

Affected_by_vulnerabilities

url VCID-3jru-u17n-tyg1

vulnerability_id VCID-3jru-u17n-tyg1

summary

Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784

reference_url

https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a

reference_url

https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85

reference_id

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855
reference_id	1117855
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2403126
reference_id	2403126
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2403126

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61780

reference_id

CVE-2025-61780

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61780

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml

reference_id

CVE-2025-61780.YML

reference_type

scores

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml

reference_url	https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id	GHSA-r657-rxjc-j557
reference_type
scores
url	https://github.com/advisories/GHSA-r657-rxjc-j557

reference_url

https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557

reference_id

GHSA-r657-rxjc-j557

reference_type

scores

value	5.8
scoring_system	cvssv3
scoring_elements

value	5.8
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/

url

https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557

fixed_packages

url pkg:gem/rack@2.2.20

purl pkg:gem/rack@2.2.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20

url pkg:gem/rack@3.1.18

purl pkg:gem/rack@3.1.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18

url pkg:gem/rack@3.2.3

purl pkg:gem/rack@3.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3

aliases CVE-2025-61780, GHSA-r657-rxjc-j557

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-3jru-u17n-tyg1

url VCID-7cef-z5qm-afd8

vulnerability_id VCID-7cef-z5qm-afd8

summary

ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary

There is a denial of service vulnerability in the
Content-Disposition parsing component of Rack. This is very
similar to the previous security issue CVE-2022-44571.

### Details

Carefully crafted input can cause Content-Disposition header
parsing in Rack to take an unexpected amount of time, possibly
resulting in a denial of service attack vector. This header is
used typically used in multipart parsing. Any applications that
parse multipart posts using Rack (virtually all Rails applications)
are impacted.

### Credits

Thanks to [scyoon](https://hackerone.com/scyoon) for reporting
this to the Rails security team

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-49007.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	6.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/

url

https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f

reference_url

https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/

url

https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901

reference_url

https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw

reference_id

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-06-05T13:20:37Z/

url

https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363
reference_id	1107363
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107363

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2370346
reference_id	2370346
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2370346

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-49007

reference_id

CVE-2025-49007

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-49007

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml

reference_id

CVE-2025-49007.YML

reference_type

scores

value	6.6
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-49007.yml

reference_url	https://github.com/advisories/GHSA-47m2-26rw-j2jw
reference_id	GHSA-47m2-26rw-j2jw
reference_type
scores
url	https://github.com/advisories/GHSA-47m2-26rw-j2jw

fixed_packages

url pkg:gem/rack@3.1.16

purl pkg:gem/rack@3.1.16

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.16

aliases CVE-2025-49007, GHSA-47m2-26rw-j2jw

risk_score 3.4

exploitability 0.5

weighted_severity 6.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-7cef-z5qm-afd8

url VCID-amfu-8d25-juhy

vulnerability_id VCID-amfu-8d25-juhy

summary

Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/

url

https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431
reference_id	1116431
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2398167
reference_id	2398167
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2398167

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-59830

reference_id

CVE-2025-59830

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-59830

reference_url	https://github.com/advisories/GHSA-625h-95r8-8xpm
reference_id	GHSA-625h-95r8-8xpm
reference_type
scores
url	https://github.com/advisories/GHSA-625h-95r8-8xpm

reference_url

https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

reference_id

GHSA-625h-95r8-8xpm

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/

url

https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19832
reference_id	RHSA-2025:19832
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19832

reference_url	https://access.redhat.com/errata/RHSA-2025:19855
reference_id	RHSA-2025:19855
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19855

reference_url	https://access.redhat.com/errata/RHSA-2025:19856
reference_id	RHSA-2025:19856
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19856

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

fixed_packages

url pkg:gem/rack@2.2.18

purl pkg:gem/rack@2.2.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.18

url pkg:gem/rack@3.0.0.beta1

purl pkg:gem/rack@3.0.0.beta1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-52qe-dast-tkhu

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-bqpn-m2fh-9kab

vulnerability	VCID-c9mc-7nts-cfgy

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-ebb6-b5tx-5bhf

vulnerability	VCID-heu4-cd3d-73ck

vulnerability	VCID-hpw3-uw3x-mqgq

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-pydr-47y4-y3fu

vulnerability	VCID-u1u4-7b3v-fue7

vulnerability	VCID-vk15-7qdb-xkh9

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1

aliases CVE-2025-59830, GHSA-625h-95r8-8xpm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-amfu-8d25-juhy

url VCID-bj83-rx84-v3g9

vulnerability_id VCID-bj83-rx84-v3g9

summary

Rack has a Directory Traversal via Rack:Directory
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/

url

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479
reference_id	1128479
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2440737
reference_id	2440737
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2440737

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-22860

reference_id

CVE-2026-22860

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-22860

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml

reference_id

CVE-2026-22860.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml

reference_url	https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
reference_id	GHSA-mxw3-3hh2-x2mh
reference_type
scores
url	https://github.com/advisories/GHSA-mxw3-3hh2-x2mh

reference_url

https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh

reference_id

GHSA-mxw3-3hh2-x2mh

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/

url

https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh

fixed_packages

url pkg:gem/rack@2.2.22

purl pkg:gem/rack@2.2.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22

url pkg:gem/rack@3.1.20

purl pkg:gem/rack@3.1.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20

url pkg:gem/rack@3.2.5

purl pkg:gem/rack@3.2.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5

aliases CVE-2026-22860, GHSA-mxw3-3hh2-x2mh

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-bj83-rx84-v3g9

url VCID-dss4-6ptr-83av

vulnerability_id VCID-dss4-6ptr-83av

summary

Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628
reference_id	1117628
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402175
reference_id	2402175
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402175

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61771

reference_id

CVE-2025-61771

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61771

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml

reference_id

CVE-2025-61771.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml

reference_url	https://github.com/advisories/GHSA-w9pc-fmgc-vxvw
reference_id	GHSA-w9pc-fmgc-vxvw
reference_type
scores
url	https://github.com/advisories/GHSA-w9pc-fmgc-vxvw

reference_url

https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw

reference_id

GHSA-w9pc-fmgc-vxvw

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/

url

https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://access.redhat.com/errata/RHSA-2025:21696
reference_id	RHSA-2025:21696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21696

fixed_packages

url pkg:gem/rack@2.2.19

purl pkg:gem/rack@2.2.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19

url pkg:gem/rack@3.1.17

purl pkg:gem/rack@3.1.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17

url pkg:gem/rack@3.2.2

purl pkg:gem/rack@3.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2

aliases CVE-2025-61771, GHSA-w9pc-fmgc-vxvw

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-dss4-6ptr-83av

url VCID-e11g-k7zm-vkhu

vulnerability_id VCID-e11g-k7zm-vkhu

summary

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

reference_url

https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

reference_url

https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
reference_id	1117856
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2403180
reference_id	2403180
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2403180

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61919

reference_id

CVE-2025-61919

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61919

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml

reference_id

CVE-2025-61919.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml

reference_url	https://github.com/advisories/GHSA-6xw4-3v39-52mm
reference_id	GHSA-6xw4-3v39-52mm
reference_type
scores
url	https://github.com/advisories/GHSA-6xw4-3v39-52mm

reference_url

https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

reference_id

GHSA-6xw4-3v39-52mm

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/

url

https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19832
reference_id	RHSA-2025:19832
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19832

reference_url	https://access.redhat.com/errata/RHSA-2025:19855
reference_id	RHSA-2025:19855
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19855

reference_url	https://access.redhat.com/errata/RHSA-2025:19856
reference_id	RHSA-2025:19856
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19856

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://access.redhat.com/errata/RHSA-2025:21696
reference_id	RHSA-2025:21696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21696

fixed_packages

url pkg:gem/rack@2.2.20

purl pkg:gem/rack@2.2.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20

url pkg:gem/rack@3.1.18

purl pkg:gem/rack@3.1.18

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18

url pkg:gem/rack@3.2.3

purl pkg:gem/rack@3.2.3

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3

aliases CVE-2025-61919, GHSA-6xw4-3v39-52mm

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-e11g-k7zm-vkhu

url VCID-k8fr-zuyx-yyhg

vulnerability_id VCID-k8fr-zuyx-yyhg

summary

Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id	1117627
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402200
reference_id	2402200
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402200

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61772

reference_id

CVE-2025-61772

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61772

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml

reference_id

CVE-2025-61772.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml

reference_url	https://github.com/advisories/GHSA-wpv5-97wm-hp9c
reference_id	GHSA-wpv5-97wm-hp9c
reference_type
scores
url	https://github.com/advisories/GHSA-wpv5-97wm-hp9c

reference_url

https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c

reference_id

GHSA-wpv5-97wm-hp9c

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/

url

https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

fixed_packages

url pkg:gem/rack@2.2.19

purl pkg:gem/rack@2.2.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19

url pkg:gem/rack@3.1.17

purl pkg:gem/rack@3.1.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17

url pkg:gem/rack@3.2.2

purl pkg:gem/rack@3.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2

aliases CVE-2025-61772, GHSA-wpv5-97wm-hp9c

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fr-zuyx-yyhg

url VCID-vk15-7qdb-xkh9

vulnerability_id VCID-vk15-7qdb-xkh9

summary

Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary

`Rack::Sendfile` can be exploited by crafting input that
includes newline characters to manipulate log entries.

## Details

The `Rack::Sendfile` middleware logs unsanitized header values from
the `X-Sendfile-Type` header. An attacker can exploit this by
injecting escape sequences (such as newline characters) into the
header, resulting in log injection.

## Impact

This vulnerability can distort log files, obscure
attack traces, and complicate security auditing.

## Mitigation

- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27111.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53

reference_url

https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b

reference_url

https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3

reference_url

https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/

url

https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v

reference_url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_id

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546
reference_id	1099546
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1099546

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2349810
reference_id	2349810
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2349810

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-27111

reference_id

CVE-2025-27111

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-27111

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml

reference_id

CVE-2025-27111.YML

reference_type

scores

value	6.9
scoring_system	cvssv4
scoring_elements	CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml

reference_url	https://github.com/advisories/GHSA-8cgq-6mh2-7j6v
reference_id	GHSA-8cgq-6mh2-7j6v
reference_type
scores
url	https://github.com/advisories/GHSA-8cgq-6mh2-7j6v

fixed_packages

url pkg:gem/rack@2.2.12

purl pkg:gem/rack@2.2.12

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-amfu-8d25-juhy

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.12

url pkg:gem/rack@3.0.13

purl pkg:gem/rack@3.0.13

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13

url pkg:gem/rack@3.1.11

purl pkg:gem/rack@3.1.11

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11

aliases CVE-2025-27111, GHSA-8cgq-6mh2-7j6v

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-vk15-7qdb-xkh9

url VCID-x373-rhh4-7khm

vulnerability_id VCID-x373-rhh4-7khm

summary

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff

reference_id

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/

url

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480
reference_id	1128480
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2440738
reference_id	2440738
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2440738

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2026-25500

reference_id

CVE-2026-25500

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2026-25500

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml

reference_id

CVE-2026-25500.YML

reference_type

scores

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml

reference_url	https://github.com/advisories/GHSA-whrj-4476-wvmp
reference_id	GHSA-whrj-4476-wvmp
reference_type
scores
url	https://github.com/advisories/GHSA-whrj-4476-wvmp

reference_url

https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp

reference_id

GHSA-whrj-4476-wvmp

reference_type

scores

value	5.4
scoring_system	cvssv3
scoring_elements

value	5.4
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

value	MODERATE
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/

url

https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp

fixed_packages

url pkg:gem/rack@2.2.22

purl pkg:gem/rack@2.2.22

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22

url pkg:gem/rack@3.1.20

purl pkg:gem/rack@3.1.20

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20

url pkg:gem/rack@3.2.5

purl pkg:gem/rack@3.2.5

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5

aliases CVE-2026-25500, GHSA-whrj-4476-wvmp

risk_score 3.1

exploitability 0.5

weighted_severity 6.2

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-x373-rhh4-7khm

url VCID-xpa3-1n87-8ucv

vulnerability_id VCID-xpa3-1n87-8ucv

summary

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e

reference_url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e

reference_url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_id

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627
reference_id	1117627
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2402174
reference_id	2402174
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2402174

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2025-61770

reference_id

CVE-2025-61770

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2025-61770

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml

reference_id

CVE-2025-61770.YML

reference_type

scores

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml

reference_url	https://github.com/advisories/GHSA-p543-xpfm-54cp
reference_id	GHSA-p543-xpfm-54cp
reference_type
scores
url	https://github.com/advisories/GHSA-p543-xpfm-54cp

reference_url

https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp

reference_id

GHSA-p543-xpfm-54cp

reference_type

scores

value	7.5
scoring_system	cvssv3
scoring_elements

value	7.5
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

value	HIGH
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/

url

https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp

reference_url	https://access.redhat.com/errata/RHSA-2025:19512
reference_id	RHSA-2025:19512
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19512

reference_url	https://access.redhat.com/errata/RHSA-2025:19513
reference_id	RHSA-2025:19513
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19513

reference_url	https://access.redhat.com/errata/RHSA-2025:19647
reference_id	RHSA-2025:19647
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19647

reference_url	https://access.redhat.com/errata/RHSA-2025:19719
reference_id	RHSA-2025:19719
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19719

reference_url	https://access.redhat.com/errata/RHSA-2025:19733
reference_id	RHSA-2025:19733
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19733

reference_url	https://access.redhat.com/errata/RHSA-2025:19734
reference_id	RHSA-2025:19734
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19734

reference_url	https://access.redhat.com/errata/RHSA-2025:19736
reference_id	RHSA-2025:19736
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19736

reference_url	https://access.redhat.com/errata/RHSA-2025:19800
reference_id	RHSA-2025:19800
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19800

reference_url	https://access.redhat.com/errata/RHSA-2025:19948
reference_id	RHSA-2025:19948
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:19948

reference_url	https://access.redhat.com/errata/RHSA-2025:20962
reference_id	RHSA-2025:20962
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:20962

reference_url	https://access.redhat.com/errata/RHSA-2025:21036
reference_id	RHSA-2025:21036
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21036

reference_url	https://access.redhat.com/errata/RHSA-2025:21696
reference_id	RHSA-2025:21696
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2025:21696

fixed_packages

url pkg:gem/rack@2.2.19

purl pkg:gem/rack@2.2.19

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19

url pkg:gem/rack@3.1.17

purl pkg:gem/rack@3.1.17

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17

url pkg:gem/rack@3.2.2

purl pkg:gem/rack@3.2.2

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-x373-rhh4-7khm

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2

aliases CVE-2025-61770, GHSA-p543-xpfm-54cp

risk_score 4.0

exploitability 0.5

weighted_severity 8.0

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa3-1n87-8ucv

Fixing_vulnerabilities

url VCID-52qe-dast-tkhu

vulnerability_id VCID-52qe-dast-tkhu

summary

Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing

There is a possible denial of service vulnerability in the header parsing
routines in Rack.  This vulnerability has been assigned the CVE identifier
CVE-2024-26146.

Versions Affected:  All.
Not affected:       None
Fixed Versions:     2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1

Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.

Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.

Releases
--------
The fixed releases are available at the normal locations.

Workarounds
-----------
There are no feasible workarounds for this issue.

Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.

* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series

Credits
-------

Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches!

references

reference_url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2024-26146.json

reference_url

https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://discuss.rubyonrails.org/t/possible-denial-of-service-vulnerability-in-rack-header-parsing/84942

reference_url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

url

https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

reference_url

https://github.com/rack/rack

reference_id

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://github.com/rack/rack

reference_url

https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/30b8e39a578b25d4bdcc082c1c52c6f164b59716

reference_url

https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/6c5d90bdcec0949f7ba06db62fb740dab394b582

reference_url

https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/a227cd793778c7c3a827d32808058571569cda6f

reference_url

https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd

reference_id

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/commit/e4c117749ba24a66f8ec5a08eddf68deeb425ccd

reference_url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516
reference_id	1064516
reference_type
scores
url	https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064516

reference_url	https://bugzilla.redhat.com/show_bug.cgi?id=2265595
reference_id	2265595
reference_type
scores
url	https://bugzilla.redhat.com/show_bug.cgi?id=2265595

reference_url

https://nvd.nist.gov/vuln/detail/CVE-2024-26146

reference_id

CVE-2024-26146

reference_type

scores

value	LOW
scoring_system	generic_textual
scoring_elements

url

https://nvd.nist.gov/vuln/detail/CVE-2024-26146

reference_url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml

reference_id

CVE-2024-26146.YML

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2024-26146.yml

reference_url	https://github.com/advisories/GHSA-54rr-7fvw-6x8f
reference_id	GHSA-54rr-7fvw-6x8f
reference_type
scores
url	https://github.com/advisories/GHSA-54rr-7fvw-6x8f

reference_url

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

reference_id

GHSA-54rr-7fvw-6x8f

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	LOW
scoring_system	generic_textual
scoring_elements

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://github.com/rack/rack/security/advisories/GHSA-54rr-7fvw-6x8f

reference_url

https://security.netapp.com/advisory/ntap-20240510-0006/

reference_id

ntap-20240510-0006

reference_type

scores

value	5.3
scoring_system	cvssv3.1
scoring_elements	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L

value	Track
scoring_system	ssvc
scoring_elements	SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2024-02-29T17:31:54Z/

url

https://security.netapp.com/advisory/ntap-20240510-0006/

reference_url	https://access.redhat.com/errata/RHSA-2024:10806
reference_id	RHSA-2024:10806
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:10806

reference_url	https://access.redhat.com/errata/RHSA-2024:1841
reference_id	RHSA-2024:1841
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1841

reference_url	https://access.redhat.com/errata/RHSA-2024:1846
reference_id	RHSA-2024:1846
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:1846

reference_url	https://access.redhat.com/errata/RHSA-2024:2007
reference_id	RHSA-2024:2007
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2007

reference_url	https://access.redhat.com/errata/RHSA-2024:2113
reference_id	RHSA-2024:2113
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2113

reference_url	https://access.redhat.com/errata/RHSA-2024:2581
reference_id	RHSA-2024:2581
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2581

reference_url	https://access.redhat.com/errata/RHSA-2024:2584
reference_id	RHSA-2024:2584
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2584

reference_url	https://access.redhat.com/errata/RHSA-2024:2953
reference_id	RHSA-2024:2953
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:2953

reference_url	https://access.redhat.com/errata/RHSA-2024:3431
reference_id	RHSA-2024:3431
reference_type
scores
url	https://access.redhat.com/errata/RHSA-2024:3431

fixed_packages

url pkg:gem/rack@2.0.9.4

purl pkg:gem/rack@2.0.9.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-amfu-8d25-juhy

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-vk15-7qdb-xkh9

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4

url pkg:gem/rack@2.1.4.4

purl pkg:gem/rack@2.1.4.4

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-amfu-8d25-juhy

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-vk15-7qdb-xkh9

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.4

url pkg:gem/rack@2.2.8.1

purl pkg:gem/rack@2.2.8.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-amfu-8d25-juhy

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-vk15-7qdb-xkh9

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1

url pkg:gem/rack@3.0.9.1

purl pkg:gem/rack@3.0.9.1

is_vulnerable true

affected_by_vulnerabilities

vulnerability	VCID-3jru-u17n-tyg1

vulnerability	VCID-7cef-z5qm-afd8

vulnerability	VCID-bj83-rx84-v3g9

vulnerability	VCID-dss4-6ptr-83av

vulnerability	VCID-e11g-k7zm-vkhu

vulnerability	VCID-k8fr-zuyx-yyhg

vulnerability	VCID-vk15-7qdb-xkh9

vulnerability	VCID-x373-rhh4-7khm

vulnerability	VCID-xpa3-1n87-8ucv

resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1

aliases CVE-2024-26146, GHSA-54rr-7fvw-6x8f

risk_score 2.4

exploitability 0.5

weighted_severity 4.8

resource_url http://public2.vulnerablecode.io/vulnerabilities/VCID-52qe-dast-tkhu

Risk_score 4.0

Resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4

Package Instance