CVE-2025-61919: Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
(updated )
Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
References
- github.com/advisories/GHSA-6xw4-3v39-52mm
- github.com/rack/rack
- github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881
- github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db
- github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f
- github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml
- nvd.nist.gov/vuln/detail/CVE-2025-61919
Code Behaviors & Features
Detect and mitigate CVE-2025-61919 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →