GHSA-625h-95r8-8xpm

Suggest an improvement
Source
https://github.com/advisories/GHSA-625h-95r8-8xpm
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/09/GHSA-625h-95r8-8xpm/GHSA-625h-95r8-8xpm.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-625h-95r8-8xpm
Aliases
Downstream
Published
2025-09-25T16:39:27Z
Modified
2025-09-25T17:57:26.368795Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
Details

Summary

Rack::QueryParser in version < 2.2.18 enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended.

Details

The issue arises because Rack::QueryParser#check_query_string counts only & characters when determining the number of parameters, but the default separator regex DEFAULT_SEP = /[&;] */n splits on both & and ;. This mismatch means that queries using ; separators were not included in the parameter count, allowing params_limit to be bypassed.

Other safeguards (bytesize_limit and key_space_limit) still applied, but did not prevent this particular bypass.

Impact

Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector.

Rack::Request, the primary entry point for typical Rack applications, uses QueryParser in a safe way and does not appear vulnerable by default. As such, the severity is considered low, with the impact limited to edge cases where QueryParser is used directly.

Mitigation

  • Upgrade to a patched version of Rack where both & and ; are counted consistently toward params_limit.
  • If upgrading is not immediately possible, configure QueryParser with an explicit delimiter (e.g., &) to avoid the mismatch.
  • As a general precaution, enforce query string and request size limits at the web server or proxy layer (e.g., Nginx, Apache, or a CDN) to mitigate excessive parsing overhead.
Database specific 
{
    "severity": "HIGH",
    "github_reviewed": true,
    "nvd_published_at": "2025-09-25T15:16:13Z",
    "github_reviewed_at": "2025-09-25T16:39:27Z",
    "cwe_ids": [
        "CWE-400",
        "CWE-770"
    ]
}
References

Affected packages

RubyGems / rack

Package

Name
rack
Purl
pkg:gem/rack

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
2.2.18

Affected versions

0.*

0.1.0
0.2.0
0.3.0
0.4.0
0.9.0
0.9.1

1.*

1.0.0
1.0.1
1.1.0
1.1.1.pre
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.3.0.beta
1.3.0.beta2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0.beta.1
1.5.0.beta.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0.beta
1.6.0.beta2
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13

2.*

2.0.0.alpha
2.0.0.rc1
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.9.1
2.0.9.2
2.0.9.3
2.0.9.4
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.4.1
2.1.4.2
2.1.4.3
2.1.4.4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.3.1
2.2.4
2.2.5
2.2.6
2.2.6.1
2.2.6.2
2.2.6.3
2.2.6.4
2.2.7
2.2.8
2.2.8.1
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17