Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
{
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/59xxx/CVE-2025-59830.json",
"cna_assigner": "GitHub_M"
}{
"cpe": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*",
"source": [
"CPE_RANGE",
"REFERENCES"
],
"extracted_events": [
{
"introduced": "0"
},
{
"fixed": "2.2.18"
}
]
}