{"url":"http://public2.vulnerablecode.io/api/packages/70749?format=json","purl":"pkg:gem/rack@2.2.19","type":"gem","namespace":"","name":"rack","version":"2.2.19","qualifiers":{},"subpath":"","is_vulnerable":false,"next_non_vulnerable_version":"2.2.20","latest_non_vulnerable_version":"3.2.5","affected_by_vulnerabilities":[],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47952?format=json","vulnerability_id":"VCID-dss4-6ptr-83av","summary":"Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).","references":[{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"},{"reference_url":"https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"},{"reference_url":"https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61771","reference_id":"CVE-2025-61771","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61771"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml","reference_id":"CVE-2025-61771.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml"},{"reference_url":"https://github.com/advisories/GHSA-w9pc-fmgc-vxvw","reference_id":"GHSA-w9pc-fmgc-vxvw","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-w9pc-fmgc-vxvw"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw","reference_id":"GHSA-w9pc-fmgc-vxvw","reference_type":"","scores":[],"url":"https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70749?format=json","purl":"pkg:gem/rack@2.2.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19"},{"url":"http://public2.vulnerablecode.io/api/packages/70750?format=json","purl":"pkg:gem/rack@3.1.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17"},{"url":"http://public2.vulnerablecode.io/api/packages/70751?format=json","purl":"pkg:gem/rack@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2"}],"aliases":["CVE-2025-61771","GHSA-w9pc-fmgc-vxvw"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dss4-6ptr-83av"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47962?format=json","vulnerability_id":"VCID-k8fr-zuyx-yyhg","summary":"Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)\n`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).","references":[{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"},{"reference_url":"https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"},{"reference_url":"https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61772","reference_id":"CVE-2025-61772","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61772"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml","reference_id":"CVE-2025-61772.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml"},{"reference_url":"https://github.com/advisories/GHSA-wpv5-97wm-hp9c","reference_id":"GHSA-wpv5-97wm-hp9c","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-wpv5-97wm-hp9c"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c","reference_id":"GHSA-wpv5-97wm-hp9c","reference_type":"","scores":[],"url":"https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70749?format=json","purl":"pkg:gem/rack@2.2.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19"},{"url":"http://public2.vulnerablecode.io/api/packages/70750?format=json","purl":"pkg:gem/rack@3.1.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17"},{"url":"http://public2.vulnerablecode.io/api/packages/70751?format=json","purl":"pkg:gem/rack@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2"}],"aliases":["CVE-2025-61772","GHSA-wpv5-97wm-hp9c"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-k8fr-zuyx-yyhg"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/47963?format=json","vulnerability_id":"VCID-xpa3-1n87-8ucv","summary":"Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.","references":[{"reference_url":"https://github.com/rack/rack","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack"},{"reference_url":"https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"},{"reference_url":"https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"},{"reference_url":"https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd","reference_id":"","reference_type":"","scores":[],"url":"https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61770","reference_id":"CVE-2025-61770","reference_type":"","scores":[],"url":"https://nvd.nist.gov/vuln/detail/CVE-2025-61770"},{"reference_url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml","reference_id":"CVE-2025-61770.YML","reference_type":"","scores":[],"url":"https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml"},{"reference_url":"https://github.com/advisories/GHSA-p543-xpfm-54cp","reference_id":"GHSA-p543-xpfm-54cp","reference_type":"","scores":[],"url":"https://github.com/advisories/GHSA-p543-xpfm-54cp"},{"reference_url":"https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp","reference_id":"GHSA-p543-xpfm-54cp","reference_type":"","scores":[],"url":"https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/70749?format=json","purl":"pkg:gem/rack@2.2.19","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19"},{"url":"http://public2.vulnerablecode.io/api/packages/70750?format=json","purl":"pkg:gem/rack@3.1.17","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.17"},{"url":"http://public2.vulnerablecode.io/api/packages/70751?format=json","purl":"pkg:gem/rack@3.2.2","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.2"}],"aliases":["CVE-2025-61770","GHSA-p543-xpfm-54cp"],"risk_score":null,"exploitability":null,"weighted_severity":null,"resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-xpa3-1n87-8ucv"}],"risk_score":null,"resource_url":"http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.19"}