VulnerableCode Package Details - pkg:rpm/redhat/pcs@0.11.4-7.el9

Search for packages

Vulnerability	Summary	Fixed by
VCID-azu5-jcmd-3ufx Aliases: CVE-2025-61772 GHSA-wpv5-97wm-hp9c	Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).	There are no reported fixed by versions.
VCID-gdhf-e8q1-kbat Aliases: CVE-2025-59830 GHSA-625h-95r8-8xpm	Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters `Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.	There are no reported fixed by versions.
VCID-npag-sz7d-v7b6 Aliases: CVE-2025-61770 GHSA-p543-xpfm-54cp	Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.	There are no reported fixed by versions.
VCID-s971-gkdg-jkhc Aliases: CVE-2025-61919 GHSA-6xw4-3v39-52mm	Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.	There are no reported fixed by versions.

Vulnerability

Summary

Fixed by

VCID-azu5-jcmd-3ufx
Aliases:
CVE-2025-61772
GHSA-wpv5-97wm-hp9c

Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion) `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).

There are no reported fixed by versions.

VCID-gdhf-e8q1-kbat
Aliases:
CVE-2025-59830
GHSA-625h-95r8-8xpm

Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters `Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended.

There are no reported fixed by versions.

VCID-npag-sz7d-v7b6
Aliases:
CVE-2025-61770
GHSA-p543-xpfm-54cp

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion) `Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.

There are no reported fixed by versions.

VCID-s971-gkdg-jkhc
Aliases:
CVE-2025-61919
GHSA-6xw4-3v39-52mm

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.

There are no reported fixed by versions.

Vulnerability	Summary	Aliases
This package is not known to fix vulnerabilities.

Vulnerability

Summary

Aliases

This package is not known to fix vulnerabilities.

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-01T13:36:25.997293+00:00	RedHat Importer	Affected by	VCID-gdhf-e8q1-kbat	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json	38.0.0
2026-04-01T13:36:03.730464+00:00	RedHat Importer	Affected by	VCID-npag-sz7d-v7b6	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61770.json	38.0.0
2026-04-01T13:36:03.152177+00:00	RedHat Importer	Affected by	VCID-azu5-jcmd-3ufx	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61772.json	38.0.0
2026-04-01T13:35:59.657337+00:00	RedHat Importer	Affected by	VCID-s971-gkdg-jkhc	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json	38.0.0