Login Sign Up

CVE-2025-61772

7.5 HIGH
Denial of Service

📋 TL;DR

This vulnerability in Rack's multipart parser allows remote attackers to cause denial of service by sending incomplete multipart headers that trigger unbounded memory accumulation. All Ruby web applications using vulnerable Rack versions that handle multipart uploads are affected. The parser fails to cap header size, enabling memory exhaustion and process termination.

💻 Affected Systems

Products:
  • Rack (Ruby web server interface)
Versions: All versions prior to 2.2.19, 3.1.17, and 3.2.2
Operating Systems: All operating systems running Ruby applications with Rack
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects applications that handle multipart uploads. Applications not processing multipart data are not vulnerable.

📦 What is this software?

Rack by Rack

View all CVEs affecting Rack →

Rack by Rack

View all CVEs affecting Rack →

Rack by Rack

View all CVEs affecting Rack →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service outage due to memory exhaustion, causing application crashes and unavailability for all users.

🟠

Likely Case

Degraded performance, intermittent crashes, and increased resource consumption affecting application responsiveness.

🟢

If Mitigated

Minimal impact with proper request size limits and updated Rack versions preventing memory exhaustion.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploitation requires sending HTTP requests with malformed multipart headers, which is straightforward to implement.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2.2.19, 3.1.17, or 3.2.2

Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c

Restart Required: Yes

Instructions:

1. Update Rack gem to patched version: `bundle update rack` or `gem update rack`. 2. Verify version with `rack --version`. 3. Restart application server.

🔧 Temporary Workarounds

Restrict request size at proxy/load balancer

all

Limit maximum request body size to prevent large malicious requests from reaching the application.

nginx: `client_max_body_size 10M;` in server block
Apache: `LimitRequestBody 10485760` in config

🧯 If You Can't Patch

  • Implement request size limits at application level using middleware
  • Deploy WAF rules to block requests with malformed multipart headers

🔍 How to Verify

Check if Vulnerable:

Check Rack version: `rack --version` or `bundle show rack`. If version is below 2.2.19, 3.1.17, or 3.2.2, system is vulnerable.

Check Version:

rack --version

Verify Fix Applied:

Confirm Rack version is 2.2.19+, 3.1.17+, or 3.2.2+ and test multipart upload functionality.

📡 Detection & Monitoring

Log Indicators:

  • High memory usage spikes
  • Process OOM kills
  • Unusually large request sizes in access logs

Network Indicators:

  • HTTP requests with incomplete multipart headers
  • Requests hanging during multipart processing

SIEM Query:

source="application.log" AND ("out of memory" OR "OOM" OR "memory exhausted") AND process="rack"

📊 Metadata

CVE ID: CVE-2025-61772
CVSS v3 Score: 7.5 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
EPSS Score: 0.26% exploit probability (49.2th percentile)
Published: October 7, 2025
Last Updated: October 10, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-61772, you might also want to check these:

CVE-2024-45166 9.8

UCI IDOL2 through version 2.12 contains multiple memory corruption vulnerabilities due to improper i...

Same vulnerability type (CWE-400)
CVE-2025-61303 9.8

This vulnerability in Hatching Triage Sandbox allows malware samples to evade detection by recursive...

Same vulnerability type (CWE-400)
CVE-2024-39462 9.8

This is a Linux kernel memory corruption vulnerability in the BCM2711 DVP clock driver where array b...

Same vulnerability type (CWE-400)