Denial of Service Vulnerability in Rack Web Server Interface
CVE-2025-61919

7.5HIGH

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
10 October 2025

What is CVE-2025-61919?

A vulnerability exists in Rack, a Ruby web server interface, where the Rack::Request#POST method reads the entire request body into memory without any size limitations for Content-Type: application/x-www-form-urlencoded. This issue can lead to denial of service due to memory exhaustion, as large request bodies may be fully buffered in memory before being processed. To remediate this vulnerability, users should update to Rack versions 2.2.20, 3.1.18, or 3.2.3, which implement limits on form parameters. Additionally, configuring strict maximum body sizes at the proxy or web server layer (such as Nginx and Apache) is advised to prevent unbounded reads and enhance overall security.

Affected Version(s)

rack < 2.2.20 < 2.2.20

rack >= 3.0, < 3.1.18 < 3.0, 3.1.18

rack >= 3.2, < 3.2.3 < 3.2, 3.2.3

References

https://github.com/rack/rack/security/advisories/GHSA-6xw...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/4e2c903991a790ee211a3...
x_refsource_MISC
https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.
CVE-2025-61919 : Denial of Service Vulnerability in Rack Web Server Interface