Rack Multipart Parser CVE-2025-61770: Brief Summary of Memory Exhaustion Vulnerability

This post provides a brief summary of CVE-2025-61770, a memory exhaustion vulnerability in Rack's multipart parser. We cover technical details, affected versions, and vendor security history based on available public information.
CVE Analysis

7 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-07

Rack Multipart Parser CVE-2025-61770: Brief Summary of Memory Exhaustion Vulnerability
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single HTTP request can bring down a Ruby web application if it exploits a flaw in how multipart form data is parsed. CVE-2025-61770 exposes a high-impact memory exhaustion vulnerability in Rack, the core Ruby web server interface used by Ruby on Rails, Sinatra, and many other frameworks. Any internet-facing application accepting multipart form data is at risk if running a vulnerable version.

About Rack: Rack is the de facto standard interface between Ruby web frameworks and web servers. It is used in millions of deployments worldwide and forms the backbone of the Ruby web ecosystem. Its security and stability directly affect a wide range of production applications.

Technical Information

CVE-2025-61770 is rooted in the implementation of Rack::Multipart::Parser. When handling multipart HTTP requests (commonly used for file uploads), the parser reads and buffers the entire preamble—the bytes before the first boundary—directly into memory. Critically, there is no size check or limit on this buffer in affected versions.

An attacker can send a multipart/form-data request with an extremely large preamble, followed by a valid boundary. The parser will allocate memory for the entire preamble regardless of its size. With enough concurrent requests or a sufficiently large preamble, this can:

  • Exhaust available memory, causing process termination (OOM)
  • Trigger frequent garbage collection, leading to severe slowdowns
  • Crash worker processes or degrade application performance

The risk is proportional to the allowed request size and server concurrency. The vulnerability is remotely exploitable and does not require authentication or knowledge of application internals. It is classified under CWE-400 (Uncontrolled Resource Consumption).

Patched versions (2.2.19, 3.1.17, 3.2.2) introduce a hard limit on preamble size (for example, 16 KiB) or discard preamble data entirely, preventing unbounded memory allocation.

No public code snippets of the vulnerable or fixed code are available in official advisories or commits.

Affected Systems and Versions

  • Rack versions prior to 2.2.19
  • Rack versions prior to 3.1.17
  • Rack versions prior to 3.2.2

All configurations that process multipart/form-data requests using these versions are vulnerable. This includes default configurations in Ruby on Rails and Sinatra applications.

Vendor Security History

Rack has a history of multipart parsing vulnerabilities. Notable examples include:

  • CVE-2022-30122: Multipart parser DoS
  • CVE-2025-49007: Multipart header ReDoS

The Rack team typically responds quickly with patches and coordinated advisories. Security advisories are published on GitHub and through industry channels. The project is maintained by experienced Ruby developers and is considered mature, but multipart parsing remains a recurring source of issues.

References

Detect & fix
what others miss