Memory Exhaustion Vulnerability in Rack Web Server Interface
CVE-2025-61772

7.5HIGH

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
7 October 2025

What is CVE-2025-61772?

The Rack web server interface has a vulnerability in its Rack::Multipart::Parser component, which can lead to memory exhaustion. When multipart part headers do not terminate as required, the parser allows unlimited data accumulation. This unbounded data storage can be exploited by remote attackers sending incomplete multipart headers, leading to excessive memory consumption, process termination, or significant slowdowns in applications handling these uploads. Versions 2.2.19, 3.1.17, and 3.2.2 have implemented restrictions on header sizes to mitigate this issue, making it crucial for all users of previous versions to upgrade or manage request size limits effectively.

Affected Version(s)

rack < 2.2.19 < 2.2.19

rack >= 3.1, < 3.1.17 < 3.1, 3.1.17

rack >= 3.2, < 3.2.2 < 3.2, 3.2.2

References

https://github.com/rack/rack/security/advisories/GHSA-wpv...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88...
x_refsource_MISC
https://github.com/rack/rack/commit/d869fed663b113b95a74a...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61772 : Memory Exhaustion Vulnerability in Rack Web Server Interface