CVE-2025-61771

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginx client_max_body_size) and validating and rejecting unusually large form fields at the application level.

Database specific

{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/61xxx/CVE-2025-61771.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-400"
    ]
}

References

Affected packages

Git / github.com/rack/rack

Affected ranges

Type

GIT

Repo

https://github.com/rack/rack

Events

Introduced

Fixed

4c4ea296fdfd115377912aa7dbcb55b83bf2888e

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.2.19"
        }
    ]
}

Type

GIT

Repo

https://github.com/rack/rack

Events

Introduced

606365ba1353cbffdf94422c20166dc2e6d6286d

Fixed

8d141b301dd1eeda363d87d61499fe21dd90f4a5

Database specific

{
    "versions": [
        {
            "introduced": "3.1"
        },
        {
            "fixed": "3.1.17"
        }
    ]
}

Type

GIT

Repo

https://github.com/rack/rack

Events

Introduced

b68251c03788ff39d4a4b25424df7360426e4afd

Fixed

bce149b11154e851c437b5ece1c026c943f4b571

Database specific

{
    "versions": [
        {
            "introduced": "3.2"
        },
        {
            "fixed": "3.2.2"
        }
    ]
}

Affected versions

0.*

0.1

0.2

0.3

0.4

0.9

0.9.1

1.*

1.0

1.0.1

1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.3.0

1.3.0.beta

1.3.0.beta2

1.3.1

1.3.10

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0

1.6.0.beta

1.6.0.beta2

1.6.1

1.6.10

1.6.11

1.6.12

1.6.13

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

2.*

2.0.0

2.0.0.alpha

2.0.0.rc1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.1

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.4.1

2.2.0

2.2.3

2.2.3.1

2.2.4

3.*

3.0.0

3.0.0.beta1

3.0.0.rc1

Other

test

v2.*

v2.0.9.2

v2.0.9.3

v2.0.9.4

v2.1.4.2

v2.1.4.3

v2.1.4.4

v2.2.1

v2.2.10

v2.2.11

v2.2.12

v2.2.13

v2.2.14

v2.2.15

v2.2.16

v2.2.17

v2.2.18

v2.2.2

v2.2.5

v2.2.6

v2.2.6.1

v2.2.6.2

v2.2.6.3

v2.2.6.4

v2.2.7

v2.2.8

v2.2.8.1

v2.2.9

v3.*

v3.0.1

v3.0.10

v3.0.12

v3.0.13

v3.0.14

v3.0.15

v3.0.16

v3.0.17

v3.0.18

v3.0.2

v3.0.3

v3.0.4

v3.0.4.1

v3.0.4.2

v3.0.5

v3.0.6

v3.0.6.1

v3.0.7

v3.0.8

v3.0.9

v3.0.9.1

v3.1.0

v3.1.1

v3.1.10

v3.1.11

v3.1.12

v3.1.13

v3.1.14

v3.1.15

v3.1.16

v3.1.17

v3.1.18

v3.1.19

v3.1.2

v3.1.20

v3.1.21

v3.1.3

v3.1.4

v3.1.5

v3.1.6

v3.1.7

v3.1.8

v3.1.9

v3.2.0

v3.2.1

v3.2.2

v3.2.3

v3.2.4

v3.2.5

v3.2.6

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-61771.json"