Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/70645?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/70645?format=api", "purl": "pkg:gem/rack@2.2.18", "type": "gem", "namespace": "", "name": "rack", "version": "2.2.18", "qualifiers": {}, "subpath": "", "is_vulnerable": true, "next_non_vulnerable_version": "2.2.23", "latest_non_vulnerable_version": "3.2.6", "affected_by_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48004?format=api", "vulnerability_id": "VCID-3jru-u17n-tyg1", "summary": "Rack has a Possible Information Disclosure Vulnerability\nA possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61780.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61780", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00011", "scoring_system": "epss", "scoring_elements": "0.01455", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61780" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61780" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784" }, { "reference_url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a" }, { "reference_url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855", "reference_id": "1117855", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117855" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403126", "reference_id": "2403126", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403126" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780", "reference_id": "CVE-2025-61780", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61780" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml", "reference_id": "CVE-2025-61780.YML", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml" }, { "reference_url": "https://github.com/advisories/GHSA-r657-rxjc-j557", "reference_id": "GHSA-r657-rxjc-j557", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-r657-rxjc-j557" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557", "reference_id": "GHSA-r657-rxjc-j557", "reference_type": "", "scores": [ { "value": "5.8", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.8", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:34:55Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70810?format=api", "purl": "pkg:gem/rack@2.2.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/70811?format=api", "purl": "pkg:gem/rack@3.1.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/70812?format=api", "purl": "pkg:gem/rack@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3" } ], "aliases": [ "CVE-2025-61780", "GHSA-r657-rxjc-j557" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-3jru-u17n-tyg1" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50172?format=api", "vulnerability_id": "VCID-bj83-rx84-v3g9", "summary": "Rack has a Directory Traversal via Rack:Directory\n`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-22860.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00123", "scoring_system": "epss", "scoring_elements": "0.31095", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-22860" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-22860" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479", "reference_id": "1128479", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128479" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737", "reference_id": "2440737", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440737" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860", "reference_id": "CVE-2026-22860", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml", "reference_id": "CVE-2026-22860.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml" }, { "reference_url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "GHSA-mxw3-3hh2-x2mh", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh", "reference_id": "GHSA-mxw3-3hh2-x2mh", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:27:31Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh" }, { "reference_url": "https://usn.ubuntu.com/8066-1/", "reference_id": "USN-8066-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8066-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74064?format=api", "purl": "pkg:gem/rack@2.2.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/74065?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/74066?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-22860", "GHSA-mxw3-3hh2-x2mh" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-bj83-rx84-v3g9" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47952?format=api", "vulnerability_id": "VCID-dss4-6ptr-83av", "summary": "Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61771.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61771", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00107", "scoring_system": "epss", "scoring_elements": "0.28604", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61771" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61771" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628", "reference_id": "1117628", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117628" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402175", "reference_id": "2402175", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402175" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771", "reference_id": "CVE-2025-61771", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml", "reference_id": "CVE-2025-61771.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml" }, { "reference_url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:58Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/70750?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/70751?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61771", "GHSA-w9pc-fmgc-vxvw" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dss4-6ptr-83av" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/48000?format=api", "vulnerability_id": "VCID-e11g-k7zm-vkhu", "summary": "Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing\n`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61919", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00282", "scoring_system": "epss", "scoring_elements": "0.51855", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61919" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881" }, { "reference_url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db" }, { "reference_url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856", "reference_id": "1117856", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403180", "reference_id": "2403180", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2403180" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919", "reference_id": "CVE-2025-61919", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml", "reference_id": "CVE-2025-61919.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml" }, { "reference_url": "https://github.com/advisories/GHSA-6xw4-3v39-52mm", "reference_id": "GHSA-6xw4-3v39-52mm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-6xw4-3v39-52mm" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm", "reference_id": "GHSA-6xw4-3v39-52mm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19832", "reference_id": "RHSA-2025:19832", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19832" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19855", "reference_id": "RHSA-2025:19855", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19855" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19856", "reference_id": "RHSA-2025:19856", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19856" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70810?format=api", "purl": "pkg:gem/rack@2.2.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/70811?format=api", "purl": "pkg:gem/rack@3.1.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/70812?format=api", "purl": "pkg:gem/rack@3.2.3", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3" } ], "aliases": [ "CVE-2025-61919", "GHSA-6xw4-3v39-52mm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-e11g-k7zm-vkhu" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47962?format=api", "vulnerability_id": "VCID-k8fr-zuyx-yyhg", "summary": "Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.3", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61772", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00324", "scoring_system": "epss", "scoring_elements": "0.55735", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61772" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61772" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627", "reference_id": "1117627", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402200", "reference_id": "2402200", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402200" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772", "reference_id": "CVE-2025-61772", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml", "reference_id": "CVE-2025-61772.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml" }, { "reference_url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T17:51:19Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/70750?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/70751?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61772", "GHSA-wpv5-97wm-hp9c" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fr-zuyx-yyhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/50157?format=api", "vulnerability_id": "VCID-x373-rhh4-7khm", "summary": "Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href\n`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.\n\nThis results in a client-side XSS condition in directory listings generated by `Rack::Directory`.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2026-25500.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00025", "scoring_system": "epss", "scoring_elements": "0.07448", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2026-25500" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-25500" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff", "reference_id": "", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480", "reference_id": "1128480", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1128480" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738", "reference_id": "2440738", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440738" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500", "reference_id": "CVE-2026-25500", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml", "reference_id": "CVE-2026-25500.YML", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml" }, { "reference_url": "https://github.com/advisories/GHSA-whrj-4476-wvmp", "reference_id": "GHSA-whrj-4476-wvmp", "reference_type": "", "scores": [ { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp", "reference_id": "GHSA-whrj-4476-wvmp", "reference_type": "", "scores": [ { "value": "5.4", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "5.4", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" }, { "value": "MODERATE", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "MODERATE", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-02-18T19:42:04Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp" }, { "reference_url": "https://usn.ubuntu.com/8066-1/", "reference_id": "USN-8066-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/8066-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/74064?format=api", "purl": "pkg:gem/rack@2.2.22", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.22" }, { "url": "http://public2.vulnerablecode.io/api/packages/74065?format=api", "purl": "pkg:gem/rack@3.1.20", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.20" }, { "url": "http://public2.vulnerablecode.io/api/packages/74066?format=api", "purl": "pkg:gem/rack@3.2.5", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.5" } ], "aliases": [ "CVE-2026-25500", "GHSA-whrj-4476-wvmp" ], "risk_score": 3.1, "exploitability": "0.5", "weighted_severity": "6.2", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-x373-rhh4-7khm" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47963?format=api", "vulnerability_id": "VCID-xpa3-1n87-8ucv", "summary": "Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61770", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.00266", "scoring_system": "epss", "scoring_elements": "0.50306", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-61770" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61770" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627", "reference_id": "1117627", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117627" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402174", "reference_id": "2402174", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2402174" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770", "reference_id": "CVE-2025-61770", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml", "reference_id": "CVE-2025-61770.YML", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml" }, { "reference_url": "https://github.com/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-10-07T15:23:07Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21696", "reference_id": "RHSA-2025:21696", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21696" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/70750?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/70751?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-x373-rhh4-7khm" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61770", "GHSA-p543-xpfm-54cp" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa3-1n87-8ucv" } ], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47881?format=api", "vulnerability_id": "VCID-amfu-8d25-juhy", "summary": "Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters\n`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.", "references": [ { "reference_url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json" }, { "reference_url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59830", "reference_id": "", "reference_type": "", "scores": [ { "value": "0.0014", "scoring_system": "epss", "scoring_elements": "0.3385", "published_at": "2026-06-05T12:55:00Z" } ], "url": "https://api.first.org/data/v1/epss?cve=CVE-2025-59830" }, { "reference_url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830", "reference_id": "", "reference_type": "", "scores": [], "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-59830" }, { "reference_url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" } ], "url": "https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml" }, { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71", "reference_id": "", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/" } ], "url": "https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71" }, { "reference_url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431", "reference_id": "1116431", "reference_type": "", "scores": [], "url": "https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1116431" }, { "reference_url": "https://bugzilla.redhat.com/show_bug.cgi?id=2398167", "reference_id": "2398167", "reference_type": "", "scores": [], "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2398167" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59830", "reference_id": "CVE-2025-59830", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" } ], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59830" }, { "reference_url": "https://github.com/advisories/GHSA-625h-95r8-8xpm", "reference_id": "GHSA-625h-95r8-8xpm", "reference_type": "", "scores": [ { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" } ], "url": "https://github.com/advisories/GHSA-625h-95r8-8xpm" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm", "reference_id": "GHSA-625h-95r8-8xpm", "reference_type": "", "scores": [ { "value": "7.5", "scoring_system": "cvssv3", "scoring_elements": "" }, { "value": "7.5", "scoring_system": "cvssv3.1", "scoring_elements": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" }, { "value": "HIGH", "scoring_system": "cvssv3.1_qr", "scoring_elements": "" }, { "value": "HIGH", "scoring_system": "generic_textual", "scoring_elements": "" }, { "value": "Track", "scoring_system": "ssvc", "scoring_elements": "SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-09-25T16:14:17Z/" } ], "url": "https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19512", "reference_id": "RHSA-2025:19512", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19512" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19513", "reference_id": "RHSA-2025:19513", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19513" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19647", "reference_id": "RHSA-2025:19647", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19647" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19719", "reference_id": "RHSA-2025:19719", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19719" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19733", "reference_id": "RHSA-2025:19733", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19733" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19734", "reference_id": "RHSA-2025:19734", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19734" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19736", "reference_id": "RHSA-2025:19736", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19736" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19800", "reference_id": "RHSA-2025:19800", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19800" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19832", "reference_id": "RHSA-2025:19832", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19832" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19855", "reference_id": "RHSA-2025:19855", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19855" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19856", "reference_id": "RHSA-2025:19856", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19856" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:19948", "reference_id": "RHSA-2025:19948", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:19948" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:20962", "reference_id": "RHSA-2025:20962", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:20962" }, { "reference_url": "https://access.redhat.com/errata/RHSA-2025:21036", "reference_id": "RHSA-2025:21036", "reference_type": "", "scores": [], "url": "https://access.redhat.com/errata/RHSA-2025:21036" }, { "reference_url": "https://usn.ubuntu.com/7784-1/", "reference_id": "USN-7784-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7784-1/" }, { "reference_url": "https://usn.ubuntu.com/7960-1/", "reference_id": "USN-7960-1", "reference_type": "", "scores": [], "url": "https://usn.ubuntu.com/7960-1/" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70645?format=api", "purl": "pkg:gem/rack@2.2.18", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-dss4-6ptr-83av" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-k8fr-zuyx-yyhg" }, { "vulnerability": "VCID-x373-rhh4-7khm" }, { "vulnerability": "VCID-xpa3-1n87-8ucv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.18" }, { "url": "http://public2.vulnerablecode.io/api/packages/74062?format=api", "purl": "pkg:gem/rack@3.0.0.beta1", "is_vulnerable": true, "affected_by_vulnerabilities": [ { "vulnerability": "VCID-3jru-u17n-tyg1" }, { "vulnerability": "VCID-52qe-dast-tkhu" }, { "vulnerability": "VCID-7cef-z5qm-afd8" }, { "vulnerability": "VCID-bj83-rx84-v3g9" }, { "vulnerability": "VCID-bqpn-m2fh-9kab" }, { "vulnerability": "VCID-c9mc-7nts-cfgy" }, { "vulnerability": "VCID-dss4-6ptr-83av" }, { "vulnerability": "VCID-e11g-k7zm-vkhu" }, { "vulnerability": "VCID-ebb6-b5tx-5bhf" }, { "vulnerability": "VCID-heu4-cd3d-73ck" }, { "vulnerability": "VCID-hpw3-uw3x-mqgq" }, { "vulnerability": "VCID-k8fr-zuyx-yyhg" }, { "vulnerability": "VCID-pydr-47y4-y3fu" }, { "vulnerability": "VCID-u1u4-7b3v-fue7" }, { "vulnerability": "VCID-vk15-7qdb-xkh9" }, { "vulnerability": "VCID-x373-rhh4-7khm" }, { "vulnerability": "VCID-xpa3-1n87-8ucv" } ], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1" } ], "aliases": [ "CVE-2025-59830", "GHSA-625h-95r8-8xpm" ], "risk_score": 4.0, "exploitability": "0.5", "weighted_severity": "8.0", "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-amfu-8d25-juhy" } ], "risk_score": "4.0", "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.18" }