CVE-2025-61919
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-10-10

Last updated on: 2025-11-03

Assigner: GitHub, Inc.

Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-10-10
Last Modified
2025-11-03
Generated
2026-06-16
AI Q&A
2025-10-10
EPSS Evaluated
2026-06-15
NVD
CVE-2025-61919
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
rack rack to 2.2.20 (exc)
rack rack From 3.0.0 (inc) to 3.1.18 (exc)
rack rack From 3.2.0 (inc) to 3.2.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Rack Ruby web server interface where the method Rack::Request#POST reads the entire request body into memory for requests with Content-Type: application/x-www-form-urlencoded without enforcing any length limit. This means that very large request bodies can be fully loaded into memory, potentially exhausting system memory and causing a denial of service (DoS).

Impact Analysis

The vulnerability can lead to denial of service (DoS) by exhausting the server's memory when processing large request bodies. This can cause the server to become unresponsive or crash, disrupting service availability.

Detection Guidance

Detection can involve monitoring for unusually large HTTP POST requests with Content-Type: application/x-www-form-urlencoded that may cause memory exhaustion. Commands to inspect such requests depend on your environment; for example, using network packet capture tools like tcpdump or Wireshark to filter POST requests, or checking web server logs for large request bodies. However, specific commands are not provided in the available information.

Mitigation Strategies

Immediate mitigation steps include upgrading Rack to version 2.2.20, 3.1.18, or 3.2.3 or later, which enforce form parameter limits to prevent unbounded reads. Additionally, configure your proxy or web server to enforce strict maximum body size limits, such as setting 'client_max_body_size' in Nginx or 'LimitRequestBody' in Apache.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-61919. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart