Introduction
A single HTTP request can bring down a Ruby web application if it exploits a flaw in how multipart form data is parsed. CVE-2025-61770 exposes a high-impact memory exhaustion vulnerability in Rack, the core Ruby web server interface used by Ruby on Rails, Sinatra, and many other frameworks. Any internet-facing application accepting multipart form data is at risk if running a vulnerable version.
About Rack: Rack is the de facto standard interface between Ruby web frameworks and web servers. It is used in millions of deployments worldwide and forms the backbone of the Ruby web ecosystem. Its security and stability directly affect a wide range of production applications.
Technical Information
CVE-2025-61770 is rooted in the implementation of Rack::Multipart::Parser. When handling multipart HTTP requests (commonly used for file uploads), the parser reads and buffers the entire preamble—the bytes before the first boundary—directly into memory. Critically, there is no size check or limit on this buffer in affected versions.
An attacker can send a multipart/form-data request with an extremely large preamble, followed by a valid boundary. The parser will allocate memory for the entire preamble regardless of its size. With enough concurrent requests or a sufficiently large preamble, this can:
- Exhaust available memory, causing process termination (OOM)
- Trigger frequent garbage collection, leading to severe slowdowns
- Crash worker processes or degrade application performance
The risk is proportional to the allowed request size and server concurrency. The vulnerability is remotely exploitable and does not require authentication or knowledge of application internals. It is classified under CWE-400 (Uncontrolled Resource Consumption).
Patched versions (2.2.19, 3.1.17, 3.2.2) introduce a hard limit on preamble size (for example, 16 KiB) or discard preamble data entirely, preventing unbounded memory allocation.
No public code snippets of the vulnerable or fixed code are available in official advisories or commits.
Affected Systems and Versions
- Rack versions prior to 2.2.19
- Rack versions prior to 3.1.17
- Rack versions prior to 3.2.2
All configurations that process multipart/form-data requests using these versions are vulnerable. This includes default configurations in Ruby on Rails and Sinatra applications.
Vendor Security History
Rack has a history of multipart parsing vulnerabilities. Notable examples include:
- CVE-2022-30122: Multipart parser DoS
- CVE-2025-49007: Multipart header ReDoS
The Rack team typically responds quickly with patches and coordinated advisories. Security advisories are published on GitHub and through industry channels. The project is maintained by experienced Ruby developers and is considered mature, but multipart parsing remains a recurring source of issues.
