DEBIAN-CVE-2025-61772

See a problem?
Please try reporting it to the source first.
Source
https://security-tracker.debian.org/tracker/CVE-2025-61772
Import Source
https://storage.googleapis.com/debian-osv/debian-cve-osv/DEBIAN-CVE-2025-61772.json
JSON Data
https://api.osv.dev/v1/vulns/DEBIAN-CVE-2025-61772
Upstream
Published
2025-10-07T15:16:03Z
Modified
2025-10-08T09:17:23.187858Z
Summary
[none]
Details

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx client_max_body_size).

References

Affected packages

Debian:11 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.4-3
2.1.4-3+deb11u1
2.1.4-3+deb11u2
2.1.4-3+deb11u3
2.1.4-4
2.1.4-5
2.2.3-1
2.2.3-2
2.2.3-3
2.2.3-4
2.2.4-1
2.2.4-2
2.2.4-3
2.2.6.4-1
2.2.7-1
2.2.7-1.1
2.2.13-1~deb12u1

3.*

3.0.0-1
3.0.8-1
3.0.8-2
3.0.8-3
3.0.8-4
3.1.9-1~exp1
3.1.9-2
3.1.12-1
3.1.12-2~exp1
3.1.16-0.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:12 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.2.6.4-1
2.2.6.4-1+deb12u1
2.2.7-1
2.2.7-1.1
2.2.13-1~deb12u1

3.*

3.0.0-1
3.0.8-1
3.0.8-2
3.0.8-3
3.0.8-4
3.1.9-1~exp1
3.1.9-2
3.1.12-1
3.1.12-2~exp1
3.1.16-0.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:13 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.16-0.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}

Debian:14 / ruby-rack

Package

Name
ruby-rack
Purl
pkg:deb/debian/ruby-rack?arch=source

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected

Affected versions

3.*

3.1.16-0.1

Ecosystem specific 

{
    "urgency": "not yet assigned"
}