rack 2.2.19
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
high severity CVE-2025-61919~> 2.2.20, ~> 3.1.18, >= 3.2.3
Summary
Rack::Request#POST reads the entire request body into memory for
Content-Type: application/x-www-form-urlencoded, calling
rack.input.read(nil) without enforcing a length or cap. Large
request bodies can therefore be buffered completely into process
memory before parsing, leading to denial of service (DoS) through
memory exhaustion.
Details
When handling non-multipart form submissions, Rack’s request parser performs:
form_vars = get_header(RACK_INPUT).read
Since read is called with no argument, the entire request body is
loaded into a Ruby String. This occurs before query parameter
parsing or enforcement of any params_limit. As a result, Rack
applications without an upstream body-size limit can experience
unbounded memory allocation proportional to request size.
Impact
Attackers can send large application/x-www-form-urlencoded bodies
to consume process memory, causing slowdowns or termination by the
operating system (OOM). The effect scales linearly with request
size and concurrency. Even with parsing limits configured, the
issue occurs before those limits are enforced.
Mitigation
- Update to a patched version of Rack that enforces form parameter
limits using
query_parser.bytesize_limit, preventing unbounded reads ofapplication/x-www-form-urlencodedbodies. - Enforce strict maximum body size at the proxy or web server layer
(e.g., Nginx
client_max_body_size, ApacheLimitRequestBody).
Rack has a Possible Information Disclosure Vulnerability
medium severity CVE-2025-61780~> 2.2.20, ~> 3.1.18, >= 3.2.3
Summary
A possible information disclosure vulnerability existed in
Rack::Sendfile when running behind a proxy that supports
x-sendfile headers (such as Nginx). Specially crafted headers
could cause Rack::Sendfile to miscommunicate with the proxy and
trigger unintended internal requests, potentially bypassing
proxy-level access restrictions.
Details
When Rack::Sendfile received untrusted x-sendfile-type or
x-accel-mapping headers from a client, it would interpret them
as proxy configuration directives. This could cause the middleware
to send a "redirect" response to the proxy, prompting it to reissue
a new internal request that was
not subject to the proxy's access controls.
An attacker could exploit this by:
- Setting a crafted
x-sendfile-type: x-accel-redirectheader. - Setting a crafted
x-accel-mappingheader. - Requesting a path that qualifies for proxy-based acceleration.
Impact
Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes.
This issue only affected systems meeting all of the following conditions:
- The application used
Rack::Sendfilewith a proxy that supportsx-accel-redirect(e.g., Nginx). - The proxy did not always set or remove the
x-sendfile-typeandx-accel-mappingheaders. - The application exposed an endpoint that returned a body
responding to
.to_path.
Mitigation
-
Upgrade to a fixed version of Rack which requires explicit configuration to enable
x-accel-redirect:use Rack::Sendfile, "x-accel-redirect" -
Alternatively, configure the proxy to always set or strip the headers (you should be doing this!):
proxy_set_header x-sendfile-type x-accel-redirect; proxy_set_header x-accel-mapping /var/www/=/files/; -
Or in Rails applications, disable sendfile completely:
config.action_dispatch.x_sendfile_header = nil
No officially reported memory leakage issues detected.
This gem version does not have any officially reported memory leaked issues.
No license issues detected.
This gem version has a license in the gemspec.
This gem version is available.
This gem version has not been yanked and is still available for usage.