Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).

INFO

Published Date :

2025-10-10T19:22:42.454Z

Last Modified :

2025-10-10T20:48:20.240Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2025-61919 vulnerability.

Vendors Products
Rack
  • Rack
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2025-61919.

URL Resource
https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881 cve-icon cve-icon cve-icon
https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db cve-icon cve-icon cve-icon
https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f cve-icon cve-icon cve-icon
https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm cve-icon cve-icon cve-icon
https://nvd.nist.gov/vuln/detail/CVE-2025-61919 cve-icon
https://www.cve.org/CVERecord?id=CVE-2025-61919 cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact