VulnerableCode Package Details - pkg:deb/debian/ruby-rack@3.1.16-0.1?distro=trixie

Search for packages

Vulnerability	Summary	Fixed by
This package is not known to be affected by vulnerabilities.

Vulnerability

Summary

Fixed by

This package is not known to be affected by vulnerabilities.

Vulnerability	Summary	Aliases
VCID-47ja-djzb-2bbw	Rack has an Unbounded-Parameter DoS in Rack::QueryParser ## Summary `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. ## Details The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. ## Impact An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. ## Mitigation - Update to a version of Rack that limits the number of parameters parsed, or - Use middleware to enforce a maximum query string size or parameter count, or - Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.	CVE-2025-46727 GHSA-gjh7-p2fx-99vx
VCID-7wvj-9h3p-23am	ReDoS Vulnerability in Rack::Multipart handle_mime_head ### Summary There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. ### Details Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. ### Credits Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team	CVE-2025-49007 GHSA-47m2-26rw-j2jw

Vulnerability

Summary

Aliases

VCID-47ja-djzb-2bbw

Rack has an Unbounded-Parameter DoS in Rack::QueryParser ## Summary `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. ## Details The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. ## Impact An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. ## Mitigation - Update to a version of Rack that limits the number of parameters parsed, or - Use middleware to enforce a maximum query string size or parameter count, or - Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.

CVE-2025-46727
GHSA-gjh7-p2fx-99vx

VCID-7wvj-9h3p-23am

ReDoS Vulnerability in Rack::Multipart handle_mime_head ### Summary There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. ### Details Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. ### Credits Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team

CVE-2025-49007
GHSA-47m2-26rw-j2jw

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-16T10:30:36.342979+00:00	Debian Importer	Fixing	VCID-7wvj-9h3p-23am	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-16T09:25:09.983678+00:00	Debian Importer	Fixing	VCID-47ja-djzb-2bbw	https://security-tracker.debian.org/tracker/data/json	38.4.0
2026-04-12T18:15:46.607998+00:00	Debian Importer	Fixing	VCID-7wvj-9h3p-23am	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-11T18:17:12.348057+00:00	Debian Importer	Fixing	VCID-47ja-djzb-2bbw	https://security-tracker.debian.org/tracker/data/json	38.3.0
2026-04-03T07:52:20.708329+00:00	Debian Importer	Fixing	VCID-7wvj-9h3p-23am	https://security-tracker.debian.org/tracker/data/json	38.1.0
2026-04-03T07:52:20.643352+00:00	Debian Importer	Fixing	VCID-47ja-djzb-2bbw	https://security-tracker.debian.org/tracker/data/json	38.1.0