Source: ruby-rack Version: 3.1.16-0.1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for ruby-rack. CVE-2025-61771[0]: | Rack is a modular Ruby web server interface. In versions prior to | 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file | form fields (parts without a `filename`) entirely in memory as Ruby | `String` objects. A single large text field in a multipart/form-data | request (hundreds of megabytes or more) can consume equivalent process | memory, potentially leading to out-of-memory (OOM) conditions and | denial of service (DoS). Attackers can send large non-file fields to | trigger excessive memory usage. Impact scales with request size and | concurrency, potentially leading to worker crashes or severe | garbage-collection overhead. All Rack applications processing | multipart form submissions are affected. Versions 2.2.19, 3.1.17, and | 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). | Workarounds include restricting maximum request body size at the | web-server or proxy layer (e.g., Nginx `client_max_body_size`) and | validating and rejecting unusually large form fields at the | application level. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61771 https://www.cve.org/CVERecord?id=CVE-2025-61771 [1] https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw Please adjust the affected versions in the BTS as needed. Regards, Salvatore _______________________________________________ Pkg-ruby-extras-maintainers mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-ruby-extras-maintainers
