-
-
Notifications
You must be signed in to change notification settings - Fork 231
Expand file tree
/
Copy pathCVE-2025-61770.yml
More file actions
61 lines (51 loc) · 2.19 KB
/
CVE-2025-61770.yml
File metadata and controls
61 lines (51 loc) · 2.19 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
---
gem: rack
cve: 2025-61770
ghsa: p543-xpfm-54cp
url: https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
title: Rack's unbounded multipart preamble buffering enables
DoS (memory exhaustion)
date: 2025-10-07
description: |
## Summary
`Rack::Multipart::Parser` buffers the entire multipart **preamble**
(bytes before the first boundary) in memory without any size limit.
A client can send a large preamble followed by a valid boundary,
causing significant memory use and potential process termination
due to out-of-memory (OOM) conditions.
## Details
While searching for the first boundary, the parser appends incoming
data into a shared buffer (`@sbuf.concat(content)`) and scans for
the boundary pattern:
```ruby
@sbuf.scan_until(@body_regex)
```
If the boundary is not yet found, the parser continues buffering
data indefinitely. There is no trimming or size cap on the preamble,
allowing attackers to send arbitrary amounts of data before the
first boundary.
## Impact
Remote attackers can trigger large transient memory spikes by
including a long preamble in multipart/form-data requests. The
impact scales with allowed request sizes and concurrency, potentially
causing worker crashes or severe slowdown due to garbage collection.
## Mitigation
* **Upgrade:** Use a patched version of Rack that enforces a preamble
size limit (e.g., 16 KiB) or discards preamble data entirely per
[RFC 2046 § 5.1.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.1).
* **Workarounds:**
* Limit total request body size at the proxy or web server level.
* Monitor memory and set per-process limits to prevent OOM conditions.
cvss_v3: 7.5
patched_versions:
- "~> 2.2.19"
- "~> 3.1.17"
- ">= 3.2.2"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-61770
- https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp
- https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
- https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
- https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
- https://github.com/advisories/GHSA-p543-xpfm-54cp