Search for packages
| purl | pkg:rpm/redhat/rubygem-rack@2.2.20-1?arch=el9sat |
| Next non-vulnerable version | None. |
| Latest non-vulnerable version | None. |
| Risk | 4.0 |
| Vulnerability | Summary | Fixed by |
|---|---|---|
|
VCID-gdhf-e8q1-kbat
Aliases: CVE-2025-59830 GHSA-625h-95r8-8xpm |
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters `Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended. | There are no reported fixed by versions. |
|
VCID-s971-gkdg-jkhc
Aliases: CVE-2025-61919 GHSA-6xw4-3v39-52mm |
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. | There are no reported fixed by versions. |
| Vulnerability | Summary | Aliases |
|---|---|---|
| This package is not known to fix vulnerabilities. | ||
| Date | Actor | Action | Vulnerability | Source | VulnerableCode Version |
|---|---|---|---|---|---|
| 2026-04-01T13:36:26.084126+00:00 | RedHat Importer | Affected by | VCID-gdhf-e8q1-kbat | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-59830.json | 38.0.0 |
| 2026-04-01T13:35:59.783688+00:00 | RedHat Importer | Affected by | VCID-s971-gkdg-jkhc | https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json | 38.0.0 |