CVE-2025-59830

NameCVE-2025-59830
DescriptionRack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4357-1
Debian Bugs1116431

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u4fixed
bookworm2.2.13-1~deb12u1vulnerable
bookworm (security)2.2.20-0+deb12u1fixed
trixie3.1.16-0.1fixed
trixie (security)3.1.18-1~deb13u1fixed
forky, sid3.1.18-1fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourcebullseye2.1.4-3+deb11u4DLA-4357-1
ruby-racksourcebookworm2.2.20-0+deb12u1
ruby-racksource(unstable)3.0.8-21116431

Notes

https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
Fixed by: https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71 (v2.2.18)
Rack > 3 is not affected as semicolons are not considered parameter separators in Rack 3.
Mark the first version in 3.x series entering unstable as the fixed version.
Search for package or bug name: Reporting problems