CVE-2025-59830

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions: rack versions prior to 2.2.18

Description: A flaw exists in Rack::QueryParser where the params limit is not correctly enforced when parameters are separated by semicolons (;) instead of ampersands (&). The parser counts only ampersands when enforcing the limit, while splitting on both. This allows attackers to bypass the parameter count limit and potentially cause a denial-of-service condition due to increased CPU and memory consumption.

Recommendations: Upgrade to version 2.2.18 or later to address this issue. If upgrading is not immediately possible, configure QueryParser with an explicit delimiter (e.g., &) to avoid the mismatch.

Exploit

Fix

DoS

Resource Exhaustion

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-400CWE-770

Related Identifiers

ALSA-2025:19719

ALSA-2025:20962

ALSA-2025:21036

BDU:2025-13146

CESA-2025_19719

CVE-2025-59830

DLA-4357-1

GHSA-625H-95R8-8XPM

INFSA-2025_19512

INFSA-2025_19719

INFSA-2025_20962

MGASA-2025-0334

OPENSUSE-SU-2025:15587-1

OPENSUSE-SU-2026:10286-1

RHSA-2025:19512

RHSA-2025:19513

RHSA-2025:19647

RHSA-2025:19719

RHSA-2025:19733

RHSA-2025:19734

RHSA-2025:19736

RHSA-2025:19800

RHSA-2025:19948

RHSA-2025:20962

RHSA-2025:21036

RHSA-2025_19512

RHSA-2025_19719

RHSA-2025_20962

USN-7784-1

USN-7960-1

Affected Products

Almalinux

Centos

Debian

Linuxmint

Rack

Red Hat

Red Os

Rocky Linux

Ubuntu

CVE-2025-59830

Weakness Enumeration

Related Identifiers

Affected Products

References · 96