VulnerableCode Vulnerability Details

Staging Environment: Content and features may be unstable or change without notice.

Search for vulnerabilities

Vulnerability details: VCID-s971-gkdg-jkhc

Essentials
Severities (31)
References (30)
Severity details (22)
Exploits (0)
EPSS
History (1)

Vulnerability ID	VCID-s971-gkdg-jkhc
Aliases	CVE-2025-61919 GHSA-6xw4-3v39-52mm
Summary	Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
Status	Published
Exploitability	0.5
Weighted Severity	8.0
Risk	4.0
Affected and Fixed Packages	Package Details

Weaknesses (3)

CWE-400	Uncontrolled Resource Consumption
CWE-937	OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
CWE-1035	OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities

System	Score	Found at
cvssv3	7.5	https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
epss	0.00221	https://api.first.org/data/v1/epss?cve=CVE-2025-61919
cvssv3.1	7.5	https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
cvssv3.1_qr	HIGH	https://github.com/advisories/GHSA-6xw4-3v39-52mm
cvssv3.1	7.5	https://github.com/rack/rack
generic_textual	HIGH	https://github.com/rack/rack
cvssv3.1	7.5	https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
generic_textual	HIGH	https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
ssvc	Track	https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
cvssv3.1	7.5	https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
generic_textual	HIGH	https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
ssvc	Track	https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
cvssv3.1	7.5	https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
generic_textual	HIGH	https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
ssvc	Track	https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
cvssv3	7.5	https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
cvssv3.1	7.5	https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
cvssv3.1_qr	HIGH	https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
generic_textual	HIGH	https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
ssvc	Track	https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
cvssv3.1	7.5	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
generic_textual	HIGH	https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
cvssv3.1	7.5	https://nvd.nist.gov/vuln/detail/CVE-2025-61919
generic_textual	HIGH	https://nvd.nist.gov/vuln/detail/CVE-2025-61919

Reference id	Reference type	URL
		https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json
		https://api.first.org/data/v1/epss?cve=CVE-2025-61919
		https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-61919
		https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
		https://github.com/rack/rack
		https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
		https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
		https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
1117856		https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1117856
2403180		https://bugzilla.redhat.com/show_bug.cgi?id=2403180
CVE-2025-61919		https://nvd.nist.gov/vuln/detail/CVE-2025-61919
CVE-2025-61919.YML		https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
GHSA-6xw4-3v39-52mm		https://github.com/advisories/GHSA-6xw4-3v39-52mm
GHSA-6xw4-3v39-52mm		https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
RHSA-2025:19512		https://access.redhat.com/errata/RHSA-2025:19512
RHSA-2025:19513		https://access.redhat.com/errata/RHSA-2025:19513
RHSA-2025:19647		https://access.redhat.com/errata/RHSA-2025:19647
RHSA-2025:19719		https://access.redhat.com/errata/RHSA-2025:19719
RHSA-2025:19733		https://access.redhat.com/errata/RHSA-2025:19733
RHSA-2025:19734		https://access.redhat.com/errata/RHSA-2025:19734
RHSA-2025:19736		https://access.redhat.com/errata/RHSA-2025:19736
RHSA-2025:19800		https://access.redhat.com/errata/RHSA-2025:19800
RHSA-2025:19832		https://access.redhat.com/errata/RHSA-2025:19832
RHSA-2025:19855		https://access.redhat.com/errata/RHSA-2025:19855
RHSA-2025:19856		https://access.redhat.com/errata/RHSA-2025:19856
RHSA-2025:19948		https://access.redhat.com/errata/RHSA-2025:19948
RHSA-2025:20962		https://access.redhat.com/errata/RHSA-2025:20962
RHSA-2025:21036		https://access.redhat.com/errata/RHSA-2025:21036
RHSA-2025:21696		https://access.redhat.com/errata/RHSA-2025:21696
USN-7960-1		https://usn.ubuntu.com/7960-1/

No exploits are available.

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-61919.json

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rack/rack

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/ Found at https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/ Found at https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/ Found at https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-10-10T20:48:10Z/ Found at https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H Found at https://nvd.nist.gov/vuln/detail/CVE-2025-61919

Attack Vector (AV)	Attack Complexity (AC)	Privileges Required (PR)	User Interaction (UI)	Scope (S)	Confidentiality Impact (C)	Integrity Impact (I)	Availability Impact (A)
network adjacent_network local physical	low high	none low high	none required	unchanged changed	high low none	high low none	high low none

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality Impact (C)

Integrity Impact (I)

Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none

Exploit Prediction Scoring System (EPSS)

Percentile	0.44736
EPSS Score	0.00221
Published At	April 2, 2026, 12:55 p.m.

Date	Actor	Action	Source	VulnerableCode Version
2026-04-01T12:52:59.155820+00:00	GitLab Importer	Import	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2025-61919.yml	38.0.0