Introduction
A single oversized POST request can crash a Ruby web application if it relies on an outdated version of Rack. This risk is not theoretical: CVE-2025-61919 exposes a memory exhaustion flaw in Rack's form body parsing, with direct consequences for Rails, Sinatra, and Hanami deployments. Rack is the de facto Ruby web server interface, powering millions of web applications and APIs worldwide. Its role as the glue between Ruby frameworks and HTTP servers means that vulnerabilities in Rack have broad, ecosystem-wide impact.
Technical Information
CVE-2025-61919 is a resource exhaustion vulnerability in Rack, specifically affecting the handling of application/x-www-form-urlencoded
POST bodies. In vulnerable versions, the Rack::Request#POST
method reads the entire request body into memory by calling rack.input.read(nil)
without any length restriction or cap. This means that if an attacker submits a POST request with a very large body, Rack will attempt to buffer the whole payload in process memory before parsing it. This can lead to denial of service as the Ruby process consumes all available memory, potentially crashing the application or the entire server. The vulnerability is triggered before any form parameter validation or application-level logic, so input validation in the application code does not mitigate the issue.
The root cause is the absence of a bytesize limit when reading the request body for form-encoded data. The patched versions of Rack (2.2.20, 3.1.18, and 3.2.3) address this by enforcing a limit using query_parser.bytesize_limit
. If the request body exceeds this limit, Rack raises an error and does not buffer the entire body, preventing memory exhaustion. This issue is classified under CWE-400 (Uncontrolled Resource Consumption).
Affected Systems and Versions
CVE-2025-61919 affects Rack versions prior to 2.2.20, 3.1.18, and 3.2.3. Any Ruby web application or API using these versions (or earlier) is vulnerable if it processes application/x-www-form-urlencoded
POST requests. This includes default configurations of Rails, Sinatra, Hanami, and other Rack-based frameworks. The vulnerability is present regardless of deployment environment (bare metal, virtual machines, containers, or PaaS) if the affected Rack version is in use.
Vendor Security History
Rack has a history of resource exhaustion and parsing vulnerabilities. Notable related issues include CVE-2025-46727 (unbounded parameter parsing) and CVE-2025-61772 (multipart header parsing). The Rack maintainers have consistently issued coordinated advisories and timely patches for these vulnerabilities. However, the recurrence of parsing-related flaws highlights the ongoing challenge of securely handling HTTP input in foundational libraries.