DEBIAN-CVE-2025-61772

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-61772
Import Source
https://storage.googleapis.com/osv-test-debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61772.json
JSON Data
https://api.test.osv.dev/v1/vulns/DEBIAN-CVE-2025-61772
Upstream
Downstream
Published
2025-10-07T15:16:03Z
Modified
2025-11-03T23:30:47.030707Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
[none]
Details

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx client_max_body_size).

References

Affected packages

Debian:11 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.1.4-3+deb11u4

Affected versions

2.*

2.1.4-3
2.1.4-3+deb11u1
2.1.4-3+deb11u2
2.1.4-3+deb11u3

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.20-0+deb12u1

Affected versions

2.*

2.2.6.4-1
2.2.6.4-1+deb12u1
2.2.7-1
2.2.7-1.1
2.2.13-1~deb12u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.18-1~deb13u1

Affected versions

3.*

3.1.16-0.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.18-1

Affected versions

3.*

3.1.16-0.1
3.1.18-1~deb13u1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}