CVE-2025-59830

by Fred · 25/09/2025

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

More information : https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71

CVE-2025-59830

Similar

Recent Posts

Categories

CVE-2025-59830

Share this:

Similar

Recent Posts

Categories

Tags