Rack Multipart Memory Exhaustion: Brief Summary of CVE-2025-61771

A brief summary of CVE-2025-61771, a memory exhaustion vulnerability in Rack's multipart parser affecting Ruby web applications. This post covers technical details, affected versions, and vendor security history based on available public information.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-07

Rack Multipart Memory Exhaustion: Brief Summary of CVE-2025-61771
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single HTTP request can crash a Ruby web application if it exploits a memory allocation flaw in the underlying framework. CVE-2025-61771 highlights how a design choice in Rack's multipart parser can be leveraged to exhaust server memory, leading to denial of service for any application that processes multipart form data.

Rack is the de facto Ruby web server interface, providing the glue between web servers and frameworks like Rails, Sinatra, and Hanami. Its adoption is nearly universal in the Ruby ecosystem, making any vulnerability in Rack a concern for a wide range of production systems.

Technical Information

CVE-2025-61771 is a memory exhaustion vulnerability in the Rack::Multipart::Parser component. The parser handles multipart/form-data requests, which are commonly used for file uploads and complex forms. In affected versions, when the parser encounters a non-file form field (a part without a filename parameter), it reads the entire value into memory as a Ruby String object.

This becomes a problem when an attacker submits a multipart request with a very large text field. For example, a field containing hundreds of megabytes of data will cause Rack to allocate a String of equivalent size. If multiple such requests are processed concurrently, or if a single request contains multiple oversized fields, the process memory can be quickly exhausted. This can result in worker crashes or severe garbage collection overhead, effectively denying service to legitimate users.

The vulnerability is rooted in the lack of a size cap on non-file fields. While file uploads are typically streamed or written to disk, non-file fields were not subject to similar controls. The fix, implemented in Rack versions 2.2.19, 3.1.17, and 3.2.2, introduces a default 2 MiB cap on the size of non-file fields. Requests exceeding this limit are rejected early in the parsing process.

No code snippets are provided in public advisories. The relevant commits implementing the fix can be reviewed for further technical details:

Affected Systems and Versions

  • Rack versions prior to 2.2.19
  • Rack versions prior to 3.1.17
  • Rack versions prior to 3.2.2

All Rack applications that process multipart form submissions are affected. This includes applications built on Ruby on Rails, Sinatra, Hanami, and any other framework using Rack for HTTP request handling.

Vendor Security History

Rack has experienced multiple resource exhaustion and denial of service vulnerabilities in recent years, including issues in its multipart and query parsers. The project has a track record of coordinated patch releases and public security advisories. Previous issues include:

  • CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
  • CVE-2025-49007: ReDoS in Rack::Multipart
  • CVE-2022-30122: DoS in multipart parsing

The Rack team typically responds with timely patches and clear upgrade guidance.

References

Detect & fix
what others miss