Rack’s multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)_CVE-2025-61771

{
    "lastseen": "",
    "description": "Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginx `client_max_body_size`) and validating and rejecting unusually large form fields at the application level.",
    "published": "2025-10-07T14:42:53.366Z",
    "modified": "2025-10-07T14:42:53.366Z",
    "type": "cve",
    "title": "Rack's multipart parser buffers large non\u2011file fields entirely in memory, enabling DoS (memory exhaustion)",
    "source": "GitHub_M",
    "references": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw\nhttps://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e\nhttps://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e\nhttps://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd",
    "id": "CVE-2025-61771",
    "bulletinFamily": "",
    "cwe": [
        "CWE-400"
    ],
    "cvelist": null,
    "sourceData": "rack rack < 2.2.19\nrack rack >= 3.1, < 3.1.17\nrack rack >= 3.2, < 3.2.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rack",
    "version": "< 2.2.19",
    "vendor": "rack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}