[DRE-maint] Bug#1117628: ruby-rack: CVE-2025-61771
Salvatore Bonaccorso
carnil at debian.org
Wed Oct 8 21:02:16 BST 2025
Source: ruby-rack
Version: 3.1.16-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Hi,
The following vulnerability was published for ruby-rack.
CVE-2025-61771[0]:
| Rack is a modular Ruby web server interface. In versions prior to
| 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file
| form fields (parts without a `filename`) entirely in memory as Ruby
| `String` objects. A single large text field in a multipart/form-data
| request (hundreds of megabytes or more) can consume equivalent process
| memory, potentially leading to out-of-memory (OOM) conditions and
| denial of service (DoS). Attackers can send large non-file fields to
| trigger excessive memory usage. Impact scales with request size and
| concurrency, potentially leading to worker crashes or severe
| garbage-collection overhead. All Rack applications processing
| multipart form submissions are affected. Versions 2.2.19, 3.1.17, and
| 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB).
| Workarounds include restricting maximum request body size at the
| web-server or proxy layer (e.g., Nginx `client_max_body_size`) and
| validating and rejecting unusually large form fields at the
| application level.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2025-61771
https://www.cve.org/CVERecord?id=CVE-2025-61771
[1] https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
More information about the Pkg-ruby-extras-maintainers
mailing list