Introduction
A single HTTP request can crash a Ruby web application if it exploits a memory allocation flaw in the underlying framework. CVE-2025-61771 highlights how a design choice in Rack's multipart parser can be leveraged to exhaust server memory, leading to denial of service for any application that processes multipart form data.
Rack is the de facto Ruby web server interface, providing the glue between web servers and frameworks like Rails, Sinatra, and Hanami. Its adoption is nearly universal in the Ruby ecosystem, making any vulnerability in Rack a concern for a wide range of production systems.
Technical Information
CVE-2025-61771 is a memory exhaustion vulnerability in the Rack::Multipart::Parser component. The parser handles multipart/form-data requests, which are commonly used for file uploads and complex forms. In affected versions, when the parser encounters a non-file form field (a part without a filename parameter), it reads the entire value into memory as a Ruby String object.
This becomes a problem when an attacker submits a multipart request with a very large text field. For example, a field containing hundreds of megabytes of data will cause Rack to allocate a String of equivalent size. If multiple such requests are processed concurrently, or if a single request contains multiple oversized fields, the process memory can be quickly exhausted. This can result in worker crashes or severe garbage collection overhead, effectively denying service to legitimate users.
The vulnerability is rooted in the lack of a size cap on non-file fields. While file uploads are typically streamed or written to disk, non-file fields were not subject to similar controls. The fix, implemented in Rack versions 2.2.19, 3.1.17, and 3.2.2, introduces a default 2 MiB cap on the size of non-file fields. Requests exceeding this limit are rejected early in the parsing process.
No code snippets are provided in public advisories. The relevant commits implementing the fix can be reviewed for further technical details:
- Commit 589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
- Commit d869fed663b113b95a74ad53e1b5cae6ab31f29e
- Commit e08f78c656c9394d6737c022bde087e0f33336fd
Affected Systems and Versions
- Rack versions prior to 2.2.19
- Rack versions prior to 3.1.17
- Rack versions prior to 3.2.2
All Rack applications that process multipart form submissions are affected. This includes applications built on Ruby on Rails, Sinatra, Hanami, and any other framework using Rack for HTTP request handling.
Vendor Security History
Rack has experienced multiple resource exhaustion and denial of service vulnerabilities in recent years, including issues in its multipart and query parsers. The project has a track record of coordinated patch releases and public security advisories. Previous issues include:
- CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
- CVE-2025-49007: ReDoS in Rack::Multipart
- CVE-2022-30122: DoS in multipart parsing
The Rack team typically responds with timely patches and clear upgrade guidance.
