Search for packages
| purl | pkg:gem/rack@3.1 |
| Tags | Ghost |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-47ja-djzb-2bbw
Aliases: CVE-2025-46727 GHSA-gjh7-p2fx-99vx |
Rack has an Unbounded-Parameter DoS in Rack::QueryParser ## Summary `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. ## Details The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. ## Impact An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. ## Mitigation - Update to a version of Rack that limits the number of parameters parsed, or - Use middleware to enforce a maximum query string size or parameter count, or - Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation. |
Affected by 8 other vulnerabilities. |
|
VCID-7p12-ejdu-uqgy
Aliases: CVE-2025-27111 GHSA-8cgq-6mh2-7j6v |
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection ## Summary `Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries. ## Details The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. ## Impact This vulnerability can distort log files, obscure attack traces, and complicate security auditing. ## Mitigation - Update to the latest version of Rack, or - Remove usage of `Rack::Sendfile`. |
Affected by 10 other vulnerabilities. |
|
VCID-azu5-jcmd-3ufx
Aliases: CVE-2025-61772 GHSA-wpv5-97wm-hp9c |
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-c5sc-7qnn-mkb9
Aliases: CVE-2025-61771 GHSA-w9pc-fmgc-vxvw |
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion) `Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-npag-sz7d-v7b6
Aliases: CVE-2025-61770 GHSA-p543-xpfm-54cp |
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) `Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. |
Affected by 4 other vulnerabilities. Affected by 4 other vulnerabilities. |
|
VCID-w732-52bx-2qf8
Aliases: CVE-2025-25184 GHSA-7g2v-jj9q-g3rg |
Possible Log Injection in Rack::CommonLogger ## Summary `Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. ## Details When a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. ## Impact Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. ## Mitigation - Update to the latest version of Rack. |
Affected by 11 other vulnerabilities. |
|
VCID-wt7k-s1yd-nke6
Aliases: CVE-2025-27610 GHSA-7wqh-767x-r66v |
Local File Inclusion in Rack::Static ## Summary `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. ## Details The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. ## Impact By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. ## Mitigation - Update to the latest version of Rack, or - Remove usage of `Rack::Static`, or - Ensure that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue. |
Affected by 9 other vulnerabilities. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||