Ruby/rack/3.0.14

Rack provides a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between (the so-called middleware) into a single method call.

Repo Link: https://rubygems.org/gems/rack
License: MIT

1 Security Vulnerabilities

Rack has an Unbounded-Parameter DoS in Rack::QueryParser

Published date: 2025-05-08T14:45:48Z

CVE: CVE-2025-46727

Links:

Summary

Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.

Details

The vulnerability arises because Rack::QueryParser iterates over each &-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.

Impact

An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.

Mitigation

Update to a version of Rack that limits the number of parameters parsed, or
Use middleware to enforce a maximum query string size or parameter count, or
Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.

Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation.

Affected versions: ["3.1.2", "3.1.1", "3.1.0", "3.1.3", "3.1.4", "3.1.6", "3.1.5", "3.1.7", "3.1.8", "3.1.9", "3.1.10", "3.1.11", "3.1.12", "3.1.13", "3.0.0", "3.0.1", "3.0.2", "3.0.3", "3.0.4", "3.0.4.1", "3.0.4.2", "3.0.5", "3.0.6", "3.0.6.1", "3.0.7", "3.0.8", "3.0.9", "3.0.9.1", "3.0.10", "3.0.11", "3.0.12", "3.0.13", "3.0.14", "3.0.15", "2.2.3", "2.2.2", "2.2.1", "2.2.0", "2.1.1", "2.0.9", "2.0.7", "2.0.6", "2.0.4", "2.0.3", "2.0.2", "1.6.11", "1.6.7", "1.6.6", "1.6.5", "1.6.4", "1.6.1", "1.6.0", "1.6.0.beta", "1.5.5", "1.5.3", "1.5.1", "1.5.0.beta.2", "1.5.0.beta.1", "1.4.6", "1.4.3", "1.4.2", "1.3.7", "1.3.5", "1.3.4", "1.3.2", "1.3.0", "1.3.0.beta", "1.2.7", "1.2.6", "1.2.3", "1.2.1", "1.1.4", "1.1.3", "1.1.1", "1.1.1.pre", "1.1.0", "1.0.0", "0.9.1", "0.4.0", "0.2.0", "0.1.0", "2.1.4", "2.1.3", "2.1.2", "2.1.0", "2.0.8", "2.0.5", "2.0.1", "2.0.0.rc1", "2.0.0.alpha", "1.6.13", "1.6.12", "1.6.10", "1.6.9", "1.6.8", "1.6.3", "1.6.2", "1.6.0.beta2", "1.5.4", "1.5.2", "1.5.0", "1.4.7", "1.4.5", "1.4.4", "1.4.1", "1.4.0", "1.3.10", "1.3.9", "1.3.8", "1.3.6", "1.3.3", "1.3.1", "1.3.0.beta2", "1.2.8", "1.2.5", "1.2.4", "1.2.2", "1.2.0", "1.1.6", "1.1.5", "1.1.2", "1.0.1", "0.9.0", "0.3.0", "2.2.3.1", "2.1.4.1", "2.0.9.1", "2.2.4", "2.2.5", "2.2.6", "2.2.6.2", "2.2.6.1", "2.1.4.2", "2.0.9.2", "2.2.6.3", "2.1.4.3", "2.0.9.3", "2.2.6.4", "2.2.7", "2.2.8", "2.2.8.1", "2.1.4.4", "2.0.9.4", "2.2.9", "2.2.10", "2.2.11", "2.2.12", "2.2.13"]

Secure versions: [2.2.14, 2.2.15, 2.2.16, 2.2.17, 3.0.16, 3.0.17, 3.0.18, 3.1.14, 3.1.15, 3.1.16]

Recommendation: Update to version 3.1.16.

160 Other Versions

Version	License	Security	Released
2.2.9	MIT	6	2024-03-21 - 01:19	over 1 year
2.2.8.1	MIT	6	2024-02-21 - 19:23	over 1 year
2.2.8	MIT	12	2023-07-31 - 02:43	almost 2 years
2.2.7	MIT	12	2023-04-24 - 23:22	about 2 years
2.2.6.4	MIT	12	2023-03-13 - 18:10	over 2 years
2.2.6.3	MIT	14	2023-03-02 - 22:57	over 2 years
2.2.6.2	MIT	16	2023-01-17 - 21:22	over 2 years
2.2.6.1	MIT	18	2023-01-17 - 20:48	over 2 years
2.2.6	MIT	22	2023-01-16 - 21:05	over 2 years
2.2.5	MIT	22	2022-12-26 - 20:19	over 2 years
2.2.4	MIT	22	2022-06-30 - 22:22	about 3 years
2.2.3.1	MIT	22	2022-05-27 - 15:31	about 3 years
2.2.3	MIT	26	2020-06-15 - 22:25	about 5 years
2.2.2	MIT	28	2020-02-10 - 22:25	over 5 years
2.2.1	MIT	28	2020-02-09 - 06:20	over 5 years
2.2.0	MIT	28	2020-02-08 - 18:26	over 5 years
2.1.4.4	MIT	16	2024-02-21 - 19:21	over 1 year
2.1.4.3	MIT	18	2023-03-02 - 22:57	over 2 years
2.1.4.2	MIT	20	2023-01-17 - 20:48	over 2 years
2.1.4.1	MIT	26	2022-05-27 - 15:31	about 3 years
2.1.4	MIT	30	2020-06-15 - 22:24	about 5 years
2.1.3	MIT	31	2020-05-12 - 21:44	about 5 years
2.1.2	MIT	32	2020-01-27 - 22:42	over 5 years
2.1.1	MIT	32	2020-01-11 - 22:18	over 5 years
2.1.0	MIT	32	2020-01-10 - 17:49	over 5 years
2.0.9.4	MIT	20	2024-02-21 - 19:20	over 1 year
2.0.9.3	MIT	22	2023-03-02 - 22:57	over 2 years
2.0.9.2	MIT	24	2023-01-17 - 20:48	over 2 years
2.0.9.1	MIT	30	2022-05-27 - 15:31	about 3 years
2.0.9	MIT	34	2020-02-08 - 18:21	over 5 years
2.0.8	MIT	34	2019-12-18 - 18:08	over 5 years
2.0.7	MIT	36	2019-04-02 - 16:54	about 6 years
2.0.6	MIT	36	2018-11-05 - 20:00	over 6 years
2.0.5	MIT	40	2018-04-23 - 17:47	about 7 years
2.0.4	MIT	40	2018-01-31 - 18:17	over 7 years
2.0.3	MIT	38	2017-05-15 - 16:50	about 8 years
2.0.2	MIT	38	2017-05-08 - 17:08	about 8 years
2.0.1	MIT	38	2016-06-30 - 17:34	about 9 years
2.0.0.rc1	MIT	33	2016-05-06 - 20:52	about 9 years
2.0.0.alpha	MIT	33	2015-12-17 - 21:34	over 9 years
1.6.13	MIT	31	2020-02-08 - 18:19	over 5 years
1.6.12	MIT	31	2019-12-18 - 18:08	over 5 years
1.6.11	MIT	32	2018-11-05 - 20:00	over 6 years
1.6.10	MIT	33	2018-04-23 - 17:52	about 7 years
1.6.9	MIT	33	2018-02-27 - 17:19	over 7 years
1.6.8	MIT	33	2017-05-16 - 21:29	about 8 years
1.6.7	MIT	33	2017-05-15 - 16:47	about 8 years
1.6.6	MIT	33	2017-05-08 - 17:07	about 8 years
1.6.5	MIT	33	2016-11-10 - 21:55	over 8 years
1.6.4	MIT	33	2015-06-18 - 21:51	about 10 years