PT-2025-41012 · Rack+8 · Rack+8
Kwkr
·
Publicado
2025-10-07
·
Atualizado
2026-04-09
·
CVE-2025-61770
CVSS v3.1
9.8
Crítica
| Vetor | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Rack versions prior to 2.2.19
Rack versions prior to 3.1.17
Rack versions prior to 3.2.2
Description
Rack is a modular Ruby web server interface. The
Rack::Multipart::Parser component does not limit the size of the multipart preamble, potentially leading to excessive memory consumption and process termination due to out-of-memory conditions. An attacker can send a large preamble within a multipart/form-data request to trigger this issue. The impact is related to request sizes and concurrency, potentially causing worker crashes or slowdowns due to garbage collection.Recommendations
Update to Rack version 2.2.19 or later.
Update to Rack version 3.1.17 or later.
Update to Rack version 3.2.2 or later.
As a workaround, limit the total request body size at the proxy or web server level.
As a workaround, monitor memory usage and set per-process limits to prevent out-of-memory conditions.
Exploit
Correção
DoS
Resource Exhaustion
Encontrou algum problema na descrição? Tem algo a acrescentar? Fique à vontade para nos escrever 👾
Enumeração de Fraquezas
Identificadores relacionados
Produtos afetados
Almalinux
Centos
Debian
Linuxmint
Rack
Red Hat
Red Os
Rocky Linux
Ubuntu