PT-2025-41012 · Rack+8 · Rack+8

Kwkr

·

Published

2025-10-07

·

Updated

2026-04-09

·

CVE-2025-61770

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.19 Rack versions prior to 3.1.17 Rack versions prior to 3.2.2
Description Rack is a modular Ruby web server interface. The Rack::Multipart::Parser component does not limit the size of the multipart preamble, potentially leading to excessive memory consumption and process termination due to out-of-memory conditions. An attacker can send a large preamble within a multipart/form-data request to trigger this issue. The impact is related to request sizes and concurrency, potentially causing worker crashes or slowdowns due to garbage collection.
Recommendations Update to Rack version 2.2.19 or later. Update to Rack version 3.1.17 or later. Update to Rack version 3.2.2 or later. As a workaround, limit the total request body size at the proxy or web server level. As a workaround, monitor memory usage and set per-process limits to prevent out-of-memory conditions.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2025:19719
ALSA-2025:20962
ALSA-2025:21036
ALSA-2025_19719
ALSA-2025_20962
BDU:2025-13875
CESA-2025_19719
CLEANSTART-2026-GE08280
CLEANSTART-2026-IW08736
CLEANSTART-2026-RZ30606
CLEANSTART-2026-XJ84245
CVE-2025-61770
DLA-4357-1
DSA-6048-1
GHSA-P543-XPFM-54CP
INFSA-2025_19512
INFSA-2025_19719
INFSA-2025_20962
MGASA-2025-0334
OPENSUSE-SU-2025:15621-1
OPENSUSE-SU-2026:10286-1
RHSA-2025:19512
RHSA-2025:19513
RHSA-2025:19647
RHSA-2025:19719
RHSA-2025:19733
RHSA-2025:19734
RHSA-2025:19736
RHSA-2025:19800
RHSA-2025:19948
RHSA-2025:20962
RHSA-2025:21036
RHSA-2025:21696
RHSA-2025_19512
RHSA-2025_19719
RHSA-2025_20962
USN-7960-1

Affected Products

Almalinux
Centos
Debian
Linuxmint
Rack
Red Hat
Red Os
Rocky Linux
Ubuntu