Rack Multipart Parser Memory Exhaustion: Brief Summary of CVE-2025-61772

A brief summary of CVE-2025-61772, a memory exhaustion vulnerability in Rack's Multipart Parser affecting versions before 2.2.19, 3.1.17, and 3.2.2. This post outlines the technical root cause, affected versions, and vendor security history based on available public sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-07

Rack Multipart Parser Memory Exhaustion: Brief Summary of CVE-2025-61772
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single malformed upload can bring down a Ruby web application, causing memory exhaustion and service outages. CVE-2025-61772 highlights a critical flaw in how Rack, the backbone of Ruby web servers and frameworks, processes multipart form data. This vulnerability allows remote attackers to exhaust server memory simply by sending multipart requests with incomplete headers, affecting any application that relies on the vulnerable parser.

Technical Information

CVE-2025-61772 is rooted in the Rack::Multipart::Parser class, which is responsible for handling multipart form data in HTTP requests. According to the multipart specification, each part's headers must be terminated by a blank line (CRLFCRLF). In affected versions, the parser accumulates header data in memory until it encounters this termination. If a multipart part's headers never terminate with the required blank line, the parser continues to append incoming bytes to memory without any upper bound.

This behavior allows a remote attacker to craft a multipart HTTP request where one or more parts have headers that do not end with CRLFCRLF. The parser will then read and store all incoming data as part of the header, leading to unbounded memory consumption. The attack can be performed with a single large request or multiple concurrent requests, depending on the server's configuration for request size limits and concurrency. This can result in process termination due to out-of-memory (OOM) conditions or severe application slowdown.

The root cause is the lack of a maximum header size check in the header accumulation logic. The patched versions introduce a per-part header size cap (such as 64 KiB), which prevents the parser from consuming excessive memory in response to malformed input.

Affected Systems and Versions

  • Rack versions prior to 2.2.19
  • Rack versions prior to 3.1.17
  • Rack versions prior to 3.2.2

Any Ruby web application using these versions of Rack for handling multipart uploads is vulnerable. The vulnerability is present regardless of the specific web framework (Rails, Sinatra, etc) as long as Rack is used for multipart parsing.

Vendor Security History

Rack is a foundational Ruby library that enables interoperability between Ruby web servers and frameworks. The project has a history of addressing denial of service and resource exhaustion vulnerabilities, particularly in multipart and parameter parsing. Recent advisories have included:

  • Multiple DoS vulnerabilities in multipart and query parsing
  • Regular expression DoS (ReDoS) issues
  • Resource exhaustion flaws (CWE-400)

The Rack maintainers have established a security policy and typically provide patches for the current and previous major-minor release series. Security advisories and patches are published on the project's GitHub repository.

References

Detect & fix
what others miss