CVE-2025-46727
📋 TL;DR
This vulnerability in Rack's query parser allows attackers to send HTTP requests with extremely large numbers of parameters, causing memory exhaustion and CPU resource consumption. This leads to denial of service where affected Rack servers can stall or crash, requiring worker restarts. All applications using vulnerable Rack versions are affected.
💻 Affected Systems
- Rack
📦 What is this software?
Rack by Rack
Rack by Rack
Rack by Rack
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption with server crashes, requiring manual intervention to restart workers, potentially affecting all users of the application.
Likely Case
Degraded performance or temporary service unavailability for affected workers, with some requests failing or timing out.
If Mitigated
Minimal impact with proper request size limits in place; oversized requests are rejected before reaching the vulnerable parser.
🎯 Exploit Status
Exploitation requires only sending HTTP requests with many parameters; no authentication or special privileges needed.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rack 2.2.14, 3.0.16, or 3.1.14
Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
Restart Required: Yes
Instructions:
1. Update Gemfile to specify rack >= 2.2.14, >= 3.0.16, or >= 3.1.14 depending on major version. 2. Run 'bundle update rack'. 3. Restart the application server.
🔧 Temporary Workarounds
Middleware parameter limit
allAdd custom middleware to limit maximum number of parameters before Rack::QueryParser processes them
# Add to config/application.rb or middleware stack
class ParameterLimitMiddleware
MAX_PARAMS = 1000
def initialize(app)
@app = app
end
def call(env)
query_string = env['QUERY_STRING']
if query_string && query_string.count('&') > MAX_PARAMS
return [413, {}, ['Request Entity Too Large']]
end
@app.call(env)
end
end
Nginx request size limit
linuxConfigure Nginx reverse proxy to limit request body and query string sizes
# In nginx.conf server block
client_max_body_size 1M;
large_client_header_buffers 4 8k;
# Or limit specific location
location / {
client_max_body_size 100k;
}
🧯 If You Can't Patch
- Implement reverse proxy (Nginx, Apache) with strict request size limits to reject oversized requests before they reach Rack
- Deploy Web Application Firewall (WAF) rules to detect and block requests with excessive parameters
🔍 How to Verify
Check if Vulnerable:
Check Rack version in Gemfile.lock or run 'bundle show rack' and compare against vulnerable versions (<2.2.14, <3.0.16, <3.1.14)Check Version:
bundle show rack | grep rackVerify Fix Applied:
Confirm Rack version is 2.2.14, 3.0.16, or 3.1.14 or higher using 'bundle show rack'📡 Detection & Monitoring
Log Indicators:
- Unusually large number of parameters in request logs
- High memory usage spikes
- Application server restarts/crashes
- 413 Request Entity Too Large errors
Network Indicators:
- HTTP requests with extremely long query strings
- Requests with many & separators in URLs
SIEM Query:
source="application.log" AND ("parameters count:" > 1000 OR "query string length:" > 10000)