Memory Buffer Vulnerability in Rack Web Server Interface from Ruby
CVE-2025-61770

7.5HIGH

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
7 October 2025

What is CVE-2025-61770?

The Rack web server interface, which serves as a modular framework for Ruby applications, is vulnerable in versions prior to 2.2.19, 3.1.17, and 3.2.2 due to an issue in Rack::Multipart::Parser. This vulnerability allows remote attackers to craft multipart/form-data requests with excessively large preambles, causing the application to consume significant amounts of memory. If an application receives a large preamble, it can lead to out-of-memory (OOM) conditions, crashing the server or degrading performance through excessive garbage collection. Only updated versions implement safeguards by limiting the size of the preamble or discarding it altogether, making it crucial for users to apply these updates promptly. Additional protective measures include setting request size limits at the proxy or web server level and monitoring memory usage.

Affected Version(s)

rack < 2.2.19 < 2.2.19

rack >= 3.1, < 3.1.17 < 3.1, 3.1.17

rack >= 3.2, < 3.2.2 < 3.2, 3.2.2

References

https://github.com/rack/rack/security/advisories/GHSA-p54...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88...
x_refsource_MISC
https://github.com/rack/rack/commit/d869fed663b113b95a74a...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61770 : Memory Buffer Vulnerability in Rack Web Server Interface from Ruby