CVE-2025-61771
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-07

Last updated on: 2025-10-10

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginx `client_max_body_size`) and validating and rejecting unusually large form fields at the application level.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-07
Last Modified
2025-10-10
Generated
2026-06-16
AI Q&A
2025-10-07
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61771
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rack rack to 2.2.19 (exc)
rack rack From 3.1.0 (inc) to 3.1.17 (exc)
rack rack From 3.2.0 (inc) to 3.2.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Rack Ruby web server interface where non-file form fields in multipart/form-data requests are stored entirely in memory as Ruby String objects. If an attacker sends a very large text field (hundreds of megabytes or more), it can consume a large amount of process memory, potentially causing out-of-memory conditions and denial of service by crashing workers or causing severe garbage collection overhead. This affects all Rack applications processing multipart form submissions in versions prior to 2.2.19, 3.1.17, and 3.2.2.

Impact Analysis

The vulnerability can lead to denial of service (DoS) by exhausting server memory when processing large non-file form fields in multipart requests. This can cause worker crashes or severe performance degradation due to garbage collection overhead, impacting availability of the affected Rack-based web applications.

Detection Guidance

This vulnerability can be detected by monitoring for unusually large multipart/form-data requests containing large non-file fields that consume excessive memory. Since the vulnerability involves large text fields causing high memory usage, you can detect it by inspecting web server logs for large request sizes or by using network monitoring tools to identify large POST requests. Commands to check request sizes in logs or monitor memory usage of Rack application processes may help. However, no specific commands are provided in the available information.

Mitigation Strategies

Immediate mitigation steps include upgrading Rack to versions 2.2.19, 3.1.17, or 3.2.2 or later, which enforce a reasonable size cap (e.g., 2 MiB) for non-file fields. Additionally, you can restrict the maximum request body size at the web-server or proxy layer, for example by setting Nginx's 'client_max_body_size' directive to limit request sizes. Validating and rejecting unusually large form fields at the application level is also recommended to prevent excessive memory consumption.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61771. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart