Source: ruby-rack Version: 3.1.16-0.1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2.2.13-1~deb12u1
Hi, The following vulnerability was published for ruby-rack. CVE-2025-61919[0]: | Rack is a modular Ruby web server interface. Prior to versions | 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire | request body into memory for `Content-Type: application/x-www-form- | urlencoded`, calling `rack.input.read(nil)` without enforcing a | length or cap. Large request bodies can therefore be buffered | completely into process memory before parsing, leading to denial of | service (DoS) through memory exhaustion. Users should upgrade to | Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form | parameter limits using `query_parser.bytesize_limit`, preventing | unbounded reads of `application/x-www-form-urlencoded` bodies. | Additionally, enforce strict maximum body size at the proxy or web | server layer (e.g., Nginx `client_max_body_size`, Apache | `LimitRequestBody`). If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61919 https://www.cve.org/CVERecord?id=CVE-2025-61919 [1] https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm [2] https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f [3] https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db [4] https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881 Regards, Salvatore
