PT-2025-41132 · Rack+8 · Rack+8

Kwkr

·

Published

2025-10-07

·

Updated

2026-04-09

·

CVE-2025-61772

CVSS v2.0

7.8

High

VectorAV:N/AC:L/Au:N/C:N/I:N/A:C
Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.19 Rack versions prior to 3.1.17 Rack versions prior to 3.2.2
Description Rack is a modular Ruby web server interface. The Rack::Multipart::Parser component can accumulate unbounded data when processing multipart requests with incomplete header blocks that lack the required blank line. This allows a remote attacker to exhaust memory, potentially leading to a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory usage, resulting in process termination or significant performance degradation. The impact is proportional to request size limits and concurrency. Applications handling multipart uploads may be affected. The parser keeps appending incoming bytes to memory without a size cap.
Recommendations Update to Rack version 2.2.19 or later. Update to Rack version 3.1.17 or later. Update to Rack version 3.2.2 or later. As a workaround, restrict maximum request sizes at the proxy or web server layer.

Exploit

Fix

DoS

Resource Exhaustion

Weakness Enumeration

CWE-400

Related Identifiers

ALSA-2025:19719
ALSA-2025:20962
ALSA-2025:21036
ALSA-2025_19719
ALSA-2025_20962
BDU:2025-14431
CESA-2025_19719
CLEANSTART-2026-GE08280
CLEANSTART-2026-IW08736
CLEANSTART-2026-RZ30606
CLEANSTART-2026-XJ84245
CVE-2025-61772
DLA-4357-1
DSA-6048-1
GHSA-WPV5-97WM-HP9C
INFSA-2025_19512
INFSA-2025_19719
INFSA-2025_20962
MGASA-2025-0334
OPENSUSE-SU-2025:15621-1
OPENSUSE-SU-2026:10286-1
RHSA-2025:19512
RHSA-2025:19513
RHSA-2025:19647
RHSA-2025:19719
RHSA-2025:19733
RHSA-2025:19734
RHSA-2025:19736
RHSA-2025:19800
RHSA-2025:19948
RHSA-2025:20962
RHSA-2025:21036
RHSA-2025_19512
RHSA-2025_19719
RHSA-2025_20962
USN-7960-1

Affected Products

Almalinux
Centos
Debian
Linuxmint
Rack
Red Hat
Red Os
Rocky Linux
Ubuntu