CVE-2025-59830: Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

September 25, 2025

Rack::QueryParser in version < 2.2.18 enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended.

References

github.com/advisories/GHSA-625h-95r8-8xpm
github.com/rack/rack
github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
nvd.nist.gov/vuln/detail/CVE-2025-59830

Code Behaviors & Features

Detect and mitigate CVE-2025-59830 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →