Package Instance
Lookup for vulnerable packages by Package URL.
GET /api/packages/70749?format=api
{ "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "type": "gem", "namespace": "", "name": "rack", "version": "2.2.19", "qualifiers": {}, "subpath": "", "is_vulnerable": false, "next_non_vulnerable_version": "2.2.20", "latest_non_vulnerable_version": "3.2.5", "affected_by_vulnerabilities": [], "fixing_vulnerabilities": [ { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47952?format=api", "vulnerability_id": "VCID-dss4-6ptr-83av", "summary": "Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).", "references": [ { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771", "reference_id": "CVE-2025-61771", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml", "reference_id": "CVE-2025-61771.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml" }, { "reference_url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-w9pc-fmgc-vxvw" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw", "reference_id": "GHSA-w9pc-fmgc-vxvw", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/70750?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/70751?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61771", "GHSA-w9pc-fmgc-vxvw" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-dss4-6ptr-83av" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47962?format=api", "vulnerability_id": "VCID-k8fr-zuyx-yyhg", "summary": "Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).", "references": [ { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772", "reference_id": "CVE-2025-61772", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml", "reference_id": "CVE-2025-61772.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml" }, { "reference_url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-wpv5-97wm-hp9c" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c", "reference_id": "GHSA-wpv5-97wm-hp9c", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/70750?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/70751?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61772", "GHSA-wpv5-97wm-hp9c" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fr-zuyx-yyhg" }, { "url": "http://public2.vulnerablecode.io/api/vulnerabilities/47963?format=api", "vulnerability_id": "VCID-xpa3-1n87-8ucv", "summary": "Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.", "references": [ { "reference_url": "https://github.com/rack/rack", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack" }, { "reference_url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e" }, { "reference_url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e" }, { "reference_url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd", "reference_id": "", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd" }, { "reference_url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770", "reference_id": "CVE-2025-61770", "reference_type": "", "scores": [], "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770" }, { "reference_url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml", "reference_id": "CVE-2025-61770.YML", "reference_type": "", "scores": [], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml" }, { "reference_url": "https://github.com/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [], "url": "https://github.com/advisories/GHSA-p543-xpfm-54cp" }, { "reference_url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp", "reference_id": "GHSA-p543-xpfm-54cp", "reference_type": "", "scores": [], "url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp" } ], "fixed_packages": [ { "url": "http://public2.vulnerablecode.io/api/packages/70749?format=api", "purl": "pkg:gem/rack@2.2.19", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }, { "url": "http://public2.vulnerablecode.io/api/packages/70750?format=api", "purl": "pkg:gem/rack@3.1.17", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17" }, { "url": "http://public2.vulnerablecode.io/api/packages/70751?format=api", "purl": "pkg:gem/rack@3.2.2", "is_vulnerable": false, "affected_by_vulnerabilities": [], "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2" } ], "aliases": [ "CVE-2025-61770", "GHSA-p543-xpfm-54cp" ], "risk_score": null, "exploitability": null, "weighted_severity": null, "resource_url": "http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa3-1n87-8ucv" } ], "risk_score": null, "resource_url": "http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19" }