CVE-2025-61771
Denial of Service vulnerability in rack (RubyGems)
What is CVE-2025-61771 About?
This Denial of Service (DoS) vulnerability in `Rack::Multipart::Parser` allows attackers to exhaust server memory. By sending large non-file multipart form fields, the system buffers these entirely in memory, leading to an out-of-memory condition and potentially crashing the server. This is relatively easy to exploit, requiring only the ability to send large HTTP requests.
Affected Software
- rack
- >=3.1, <3.1.17
- >=3.2, <3.2.2
- <2.2.19
Technical Details
The vulnerability in Rack::Multipart::Parser occurs because non-file form fields within a multipart/form-data request are entirely buffered into memory as Ruby String objects, rather than being streamed to disk like file parts. The implementation explicitly assigns body = String.new for non-file parts and then appends content to this in-RAM buffer without any size limits. An attacker can craft a request containing one or more extremely large text fields (e.g., hundreds of megabytes). When the Rack application processes this request, the parser attempts to load these large fields completely into the process's memory. This excessive memory consumption can quickly lead to out-of-memory (OOM) conditions, causing the Rack process (and potentially the entire web server) to crash or become unresponsive, resulting in a Denial of Service.
What is the Impact of CVE-2025-61771?
Successful exploitation may allow attackers to cause server crashes, lead to service unavailability, or significantly degrade application performance by exhausting memory resources.
What is the Exploitability of CVE-2025-61771?
Exploitation of this vulnerability is relatively easy, requiring low technical skill. It is an unauthenticated remote attack; the attacker just needs to be able to send HTTP POST requests to a Rack application that processes multipart forms. No specific privileges are needed on the target system. The primary prerequisite is the ability to send requests with large text fields in the multipart body without being blocked by an upstream proxy or web server. The complexity lies mainly in crafting the large request, which is trivial. Risk factors are increased for applications that widely accept multipart form data, especially if they are publicly exposed without rate limiting or request body size limits enforced by a web server (like Nginx's client_max_body_size).
What are the Known Public Exploits?
| PoC Author | Link | Commentary |
|---|---|---|
| No known exploits | ||
What are the Available Fixes for CVE-2025-61771?
Available Upgrade Options
- rack
- <2.2.19 → Upgrade to 2.2.19
- rack
- >=3.1, <3.1.17 → Upgrade to 3.1.17
- rack
- >=3.2, <3.2.2 → Upgrade to 3.2.2
Struggling with dependency upgrades?
See how Resolved Security's drop-in replacements make it simple.
Book a demoAdditional Resources
- https://nvd.nist.gov/vuln/detail/CVE-2025-61771
- https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
- https://osv.dev/vulnerability/GHSA-w9pc-fmgc-vxvw
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml
- https://github.com/rack/rack
- https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
- https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
- https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
- https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
- https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw
What are Similar Vulnerabilities to CVE-2025-61771?
Similar Vulnerabilities: CVE-2023-27530 , CVE-2022-26138 , CVE-2018-3741 , CVE-2016-6582 , CVE-2013-0333
