Denial of Service Vulnerability in Rack Web Server Interface
CVE-2025-61771

7.5HIGH

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
7 October 2025

What is CVE-2025-61771?

The Rack web server interface experiences a vulnerability where non-file multipart form fields are stored in memory. This can lead to excessive memory usage when handling large text fields, resulting in potential out-of-memory conditions. Attackers can exploit this by sending oversized fields, leading to denial of service as worker processes may crash or be impeded by high garbage-collection overhead. Versions 2.2.19, 3.1.17, and 3.2.2 introduce safeguards to limit the size of non-file fields, which can mitigate this issue. To protect applications, it is advised to enforce maximum request body sizes and validate input at the application level.

Affected Version(s)

rack < 2.2.19 < 2.2.19

rack >= 3.1, < 3.1.17 < 3.1, 3.1.17

rack >= 3.2, < 3.2.2 < 3.2, 3.2.2

References

https://github.com/rack/rack/security/advisories/GHSA-w9p...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88...
x_refsource_MISC
https://github.com/rack/rack/commit/d869fed663b113b95a74a...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61771 : Denial of Service Vulnerability in Rack Web Server Interface