CVE-2025-46727: Rack has an Unbounded-Parameter DoS in Rack::QueryParser
(updated )
Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.
References
- github.com/advisories/GHSA-gjh7-p2fx-99vx
- github.com/rack/rack
- github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712
- github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3
- github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74
- github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-46727.yml
- nvd.nist.gov/vuln/detail/CVE-2025-46727
Code Behaviors & Features
Detect and mitigate CVE-2025-46727 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →