PT-2025-41013 · Rack+8 · Rack+8

Kwkr

·

Published

2025-10-07

·

Updated

2026-04-09

·

CVE-2025-61771

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.19 Rack versions prior to 3.1.17 Rack versions prior to 3.2.2
Description Rack is a modular Ruby web server interface. The Rack::Multipart::Parser component stores non-file form fields in memory as Ruby String objects. A large text field within a multipart/form-data request can consume significant process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can exploit this by sending requests with large non-file fields, causing excessive memory usage and potentially crashing workers or increasing garbage-collection overhead. All Rack applications processing multipart form submissions are potentially affected.
Recommendations Update to Rack version 2.2.19 or later. Update to Rack version 3.1.17 or later. Update to Rack version 3.2.2 or later. Restrict maximum request body size at the web-server or proxy layer. Validate and reject unusually large form fields at the application level.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400CWE-1284

Related Identifiers

ALSA-2025:19719
ALSA-2025:20962
ALSA-2025:21036
ALSA-2025_19719
ALSA-2025_20962
BDU:2025-13876
CESA-2025_19719
CLEANSTART-2026-GE08280
CLEANSTART-2026-IW08736
CLEANSTART-2026-RZ30606
CLEANSTART-2026-XJ84245
CVE-2025-61771
DLA-4357-1
DSA-6048-1
GHSA-W9PC-FMGC-VXVW
INFSA-2025_19512
INFSA-2025_19719
INFSA-2025_20962
MGASA-2025-0334
OPENSUSE-SU-2025:15621-1
OPENSUSE-SU-2026:10286-1
RHSA-2025:19512
RHSA-2025:19513
RHSA-2025:19647
RHSA-2025:19719
RHSA-2025:19734
RHSA-2025:19800
RHSA-2025:19948
RHSA-2025:20962
RHSA-2025:21036
RHSA-2025_19512
RHSA-2025_19719
RHSA-2025_20962
USN-7960-1

Affected Products

Almalinux
Centos
Debian
Linuxmint
Rack
Red Hat
Red Os
Rocky Linux
Ubuntu