Source: ruby-rack Version: 3.1.12-1 Severity: grave Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 2.2.6.4-1 Control: found -1 2.2.13-1~deb12u1
Hi, The following vulnerability was published for ruby-rack. CVE-2025-46727[0]: | Rack is a modular Ruby web server interface. Prior to versions | 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings | and `application/x-www-form-urlencoded` bodies into Ruby data | structures without imposing any limit on the number of parameters, | allowing attackers to send requests with extremely large numbers of | parameters. The vulnerability arises because `Rack::QueryParser` | iterates over each `&`-separated key-value pair and adds it to a | Hash without enforcing an upper bound on the total number of | parameters. This allows an attacker to send a single request | containing hundreds of thousands (or more) of parameters, which | consumes excessive memory and CPU during parsing. An attacker can | trigger denial of service by sending specifically crafted HTTP | requests, which can cause memory exhaustion or pin CPU resources, | stalling or crashing the Rack server. This results in full service | disruption until the affected worker is restarted. Versions 2.2.14, | 3.0.16, and 3.1.14 fix the issue. Some other mitigations are | available. One may use middleware to enforce a maximum query string | size or parameter count, or employ a reverse proxy (such as Nginx) | to limit request sizes and reject oversized query strings or bodies. | Limiting request body sizes and query string lengths at the web | server or CDN level is an effective mitigation. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-46727 https://www.cve.org/CVERecord?id=CVE-2025-46727 [1] https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx [2] https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74 Please adjust the affected versions in the BTS as needed. Regards, Salvatore
