Rack CVE-2025-61919: Memory Exhaustion via Unbounded Form Body Parsing – Brief Summary

This post provides a technically precise summary of CVE-2025-61919, a memory exhaustion vulnerability in Rack's form body parsing (affecting versions prior to 2.2.20, 3.1.18, and 3.2.3). It covers the vulnerability mechanism, affected versions, and Rack's security history, with references to advisories and official sources.
CVE Analysis

8 min read

ZeroPath CVE Analysis

ZeroPath CVE Analysis

2025-10-10

Rack CVE-2025-61919: Memory Exhaustion via Unbounded Form Body Parsing – Brief Summary
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

A single oversized POST request can crash a Ruby web application if it relies on an outdated version of Rack. This risk is not theoretical: CVE-2025-61919 exposes a memory exhaustion flaw in Rack's form body parsing, with direct consequences for Rails, Sinatra, and Hanami deployments. Rack is the de facto Ruby web server interface, powering millions of web applications and APIs worldwide. Its role as the glue between Ruby frameworks and HTTP servers means that vulnerabilities in Rack have broad, ecosystem-wide impact.

Technical Information

CVE-2025-61919 is a resource exhaustion vulnerability in Rack, specifically affecting the handling of application/x-www-form-urlencoded POST bodies. In vulnerable versions, the Rack::Request#POST method reads the entire request body into memory by calling rack.input.read(nil) without any length restriction or cap. This means that if an attacker submits a POST request with a very large body, Rack will attempt to buffer the whole payload in process memory before parsing it. This can lead to denial of service as the Ruby process consumes all available memory, potentially crashing the application or the entire server. The vulnerability is triggered before any form parameter validation or application-level logic, so input validation in the application code does not mitigate the issue.

The root cause is the absence of a bytesize limit when reading the request body for form-encoded data. The patched versions of Rack (2.2.20, 3.1.18, and 3.2.3) address this by enforcing a limit using query_parser.bytesize_limit. If the request body exceeds this limit, Rack raises an error and does not buffer the entire body, preventing memory exhaustion. This issue is classified under CWE-400 (Uncontrolled Resource Consumption).

Affected Systems and Versions

CVE-2025-61919 affects Rack versions prior to 2.2.20, 3.1.18, and 3.2.3. Any Ruby web application or API using these versions (or earlier) is vulnerable if it processes application/x-www-form-urlencoded POST requests. This includes default configurations of Rails, Sinatra, Hanami, and other Rack-based frameworks. The vulnerability is present regardless of deployment environment (bare metal, virtual machines, containers, or PaaS) if the affected Rack version is in use.

Vendor Security History

Rack has a history of resource exhaustion and parsing vulnerabilities. Notable related issues include CVE-2025-46727 (unbounded parameter parsing) and CVE-2025-61772 (multipart header parsing). The Rack maintainers have consistently issued coordinated advisories and timely patches for these vulnerabilities. However, the recurrence of parsing-related flaws highlights the ongoing challenge of securely handling HTTP input in foundational libraries.

References

Detect & fix
what others miss