rack 2.2.16
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
high severity CVE-2025-61919~> 2.2.20, ~> 3.1.18, >= 3.2.3
Summary
Rack::Request#POST reads the entire request body into memory for
Content-Type: application/x-www-form-urlencoded, calling
rack.input.read(nil) without enforcing a length or cap. Large
request bodies can therefore be buffered completely into process
memory before parsing, leading to denial of service (DoS) through
memory exhaustion.
Details
When handling non-multipart form submissions, Rack’s request parser performs:
form_vars = get_header(RACK_INPUT).read
Since read is called with no argument, the entire request body is
loaded into a Ruby String. This occurs before query parameter
parsing or enforcement of any params_limit. As a result, Rack
applications without an upstream body-size limit can experience
unbounded memory allocation proportional to request size.
Impact
Attackers can send large application/x-www-form-urlencoded bodies
to consume process memory, causing slowdowns or termination by the
operating system (OOM). The effect scales linearly with request
size and concurrency. Even with parsing limits configured, the
issue occurs before those limits are enforced.
Mitigation
- Update to a patched version of Rack that enforces form parameter
limits using
query_parser.bytesize_limit, preventing unbounded reads ofapplication/x-www-form-urlencodedbodies. - Enforce strict maximum body size at the proxy or web server layer
(e.g., Nginx
client_max_body_size, ApacheLimitRequestBody).
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
high severity CVE-2025-61772~> 2.2.19, ~> 3.1.17, >= 3.2.2
Summary
Rack::Multipart::Parser can accumulate unbounded data when a
multipart part’s header block never terminates with the required
blank line (CRLFCRLF). The parser keeps appending incoming bytes
to memory without a size cap, allowing a remote attacker to exhaust
memory and cause a denial of service (DoS).
Details
While reading multipart headers, the parser waits for CRLFCRLF using:
@sbuf.scan_until(/(.*?\r
)\r
/m)
If the terminator never appears, it continues appending data
(@sbuf.concat(content)) indefinitely. There is no limit on
accumulated header bytes, so a single malformed part can consume
memory proportional to the request body size.
Impact
Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected.
Mitigation
-
Upgrade to a patched Rack version that caps per-part header size (e.g., 64 KiB).
-
Until then, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx
client_max_body_size).
Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
high severity CVE-2025-61771~> 2.2.19, ~> 3.1.17, >= 3.2.2
Summary
Rack::Multipart::Parser stores non-file form fields (parts without
a filename) entirely in memory as Ruby String objects. A single
large text field in a multipart/form-data request (hundreds of
megabytes or more) can consume equivalent process memory, potentially
leading to out-of-memory (OOM) conditions and denial of service (DoS).
Details
During multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory:
body = String.new # non-file → in-RAM buffer
@mime_parts[mime_index].body << content
There is no size limit on these in-memory buffers. As a result, any
large text field—while technically valid—will be loaded fully into
process memory before being added to params.
Impact
Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected.
Mitigation
-
Upgrade: Use a patched version of Rack that enforces a reasonable size cap for non-file fields (e.g., 2 MiB).
-
Workarounds:
- Restrict maximum request body size at the web-server or proxy
layer (e.g., Nginx
client_max_body_size). - Validate and reject unusually large form fields at the application level.
- Restrict maximum request body size at the web-server or proxy
layer (e.g., Nginx
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
high severity CVE-2025-61770~> 2.2.19, ~> 3.1.17, >= 3.2.2
Summary
Rack::Multipart::Parser buffers the entire multipart preamble
(bytes before the first boundary) in memory without any size limit.
A client can send a large preamble followed by a valid boundary,
causing significant memory use and potential process termination
due to out-of-memory (OOM) conditions.
Details
While searching for the first boundary, the parser appends incoming
data into a shared buffer (@sbuf.concat(content)) and scans for
the boundary pattern:
@sbuf.scan_until(@body_regex)
If the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.
Impact
Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.
Mitigation
-
Upgrade: Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per RFC 2046 § 5.1.1.
-
Workarounds:
- Limit total request body size at the proxy or web server level.
- Monitor memory and set per-process limits to prevent OOM conditions.
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
high severity CVE-2025-59830>= 2.2.18
Summary
Rack::QueryParser in version < 2.2.18 enforces its params_limit
only for parameters separated by &, while still splitting on both
& and ;. As a result, attackers could use ; separators to
bypass the parameter count limit and submit more parameters than intended.
Details
The issue arises because Rack::QueryParser#check_query_string
counts only & characters when determining the number of parameters,
but the default separator regex DEFAULT_SEP = /[&;] */n splits on
both & and ;. This mismatch means that queries using ;
separators were not included in the parameter count, allowing
params_limit to be bypassed.
Other safeguards (bytesize_limit and key_space_limit) still
applied, but did not prevent this particular bypass.
Impact
Applications or middleware that directly invoke Rack::QueryParser
with its default configuration (no explicit delimiter) could be
exposed to increased CPU and memory consumption. This can be abused
as a limited denial-of-service vector.
Rack::Request, the primary entry point for typical Rack applications,
uses QueryParser in a safe way and does not appear vulnerable by
default. As such, the severity is considered low, with the impact
limited to edge cases where QueryParser is used directly.
Mitigation
- Upgrade to a patched version of Rack where both
∧are counted consistently towardparams_limit. - If upgrading is not immediately possible, configure
QueryParserwith an explicit delimiter (e.g.,&) to avoid the mismatch. - As a general precaution, enforce query string and request size limits at the web server or proxy layer (e.g., Nginx, Apache, or a CDN) to mitigate excessive parsing overhead.
Rack has a Possible Information Disclosure Vulnerability
medium severity CVE-2025-61780~> 2.2.20, ~> 3.1.18, >= 3.2.3
Summary
A possible information disclosure vulnerability existed in
Rack::Sendfile when running behind a proxy that supports
x-sendfile headers (such as Nginx). Specially crafted headers
could cause Rack::Sendfile to miscommunicate with the proxy and
trigger unintended internal requests, potentially bypassing
proxy-level access restrictions.
Details
When Rack::Sendfile received untrusted x-sendfile-type or
x-accel-mapping headers from a client, it would interpret them
as proxy configuration directives. This could cause the middleware
to send a "redirect" response to the proxy, prompting it to reissue
a new internal request that was
not subject to the proxy's access controls.
An attacker could exploit this by:
- Setting a crafted
x-sendfile-type: x-accel-redirectheader. - Setting a crafted
x-accel-mappingheader. - Requesting a path that qualifies for proxy-based acceleration.
Impact
Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes.
This issue only affected systems meeting all of the following conditions:
- The application used
Rack::Sendfilewith a proxy that supportsx-accel-redirect(e.g., Nginx). - The proxy did not always set or remove the
x-sendfile-typeandx-accel-mappingheaders. - The application exposed an endpoint that returned a body
responding to
.to_path.
Mitigation
-
Upgrade to a fixed version of Rack which requires explicit configuration to enable
x-accel-redirect:use Rack::Sendfile, "x-accel-redirect" -
Alternatively, configure the proxy to always set or strip the headers (you should be doing this!):
proxy_set_header x-sendfile-type x-accel-redirect; proxy_set_header x-accel-mapping /var/www/=/files/; -
Or in Rails applications, disable sendfile completely:
config.action_dispatch.x_sendfile_header = nil
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.