CVE-2025-27219

See a problem?
Please try reporting it to the source first.

Source

https://nvd.nist.gov/vuln/detail/CVE-2025-27219

Import Source

https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-27219.json

JSON Data

https://api.osv.dev/v1/vulns/CVE-2025-27219

Aliases

GHSA-gh9q-2xrm-x6qv

Related

Published

2025-03-04T00:15:31Z

Modified

2025-03-10T23:44:46.520766Z

Severity

7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator

Summary

[none]

Details

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.

References

Affected packages

Debian:11 / ruby2.7

Package

Name: ruby2.7
Purl: pkg:deb/debian/ruby2.7?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.7.4-1+deb11u5

Affected versions

2.*

2.7.4-1

2.7.4-1+deb11u1

2.7.4-1+deb11u2

2.7.4-1+deb11u3

2.7.4-1+deb11u4

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby3.1

Package

Name: ruby3.1
Purl: pkg:deb/debian/ruby3.1?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.2-7

3.1.2-7+deb12u1

3.1.2-7+hurd.1

3.1.2-8

3.1.2-8.1~exp1

3.1.2-8.3

3.1.2-8.4

3.1.2-8.5

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby3.3

Package

Name: ruby3.3
Purl: pkg:deb/debian/ruby3.3?arch=source

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.3.1-1

3.3.1-2

3.3.1-3

3.3.1-4

3.3.1-5

3.3.1-6

3.3.4-1

3.3.4-2

3.3.4-2+hurd.1

3.3.5-1

3.3.5-2

3.3.6-1

3.3.6-1.1

3.3.6-1.1+hurd.1

3.3.6-1.1+ports

3.3.6-1.1+x32

3.3.7-1

Ecosystem specific

{
    "urgency": "not yet assigned"
}

Git / github.com/ruby/cgi

Affected ranges

Type: GIT
Repo: https://github.com/ruby/cgi
Events: Introduced

0 Unknown introduced commit / All previous commits are affected

Fixed

9f7e78ece68a2cab7531d5e1111ec2e4d5344ad9

Affected versions

v0.*

v0.1.0

v0.2.0

v0.3.0

v0.3.1

v0.3.2

v0.3.3

v0.3.4

v0.3.5