Denial of Service Vulnerability in Rack Web Server Interface
CVE-2025-61919

7.5HIGH

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
10 October 2025

What is CVE-2025-61919?

A vulnerability exists in Rack, a Ruby web server interface, where the Rack::Request#POST method reads the entire request body into memory without any size limitations for Content-Type: application/x-www-form-urlencoded. This issue can lead to denial of service due to memory exhaustion, as large request bodies may be fully buffered in memory before being processed. To remediate this vulnerability, users should update to Rack versions 2.2.20, 3.1.18, or 3.2.3, which implement limits on form parameters. Additionally, configuring strict maximum body sizes at the proxy or web server layer (such as Nginx and Apache) is advised to prevent unbounded reads and enhance overall security.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

rack < 2.2.20 < 2.2.20

rack >= 3.0, < 3.1.18 < 3.0, 3.1.18

rack >= 3.2, < 3.2.3 < 3.2, 3.2.3

References

https://github.com/rack/rack/security/advisories/GHSA-6xw...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/4e2c903991a790ee211a3...
x_refsource_MISC
https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9...
x_refsource_MISC

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
None
Integrity:
None
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.