Action not permitted
Modal body text goes here.
Modal Title
Modal Body
Vulnerability from cleanstart
Published
2026-04-09 01:01
Modified
2026-04-08 08:04
Summary
Ruby JSON is a JSON implementation for Ruby
Details
Multiple security vulnerabilities affect the logstash-fips package. Ruby JSON is a JSON implementation for Ruby. See references for individual vulnerability details.
Severity
9.8 (Critical)
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "logstash-fips"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.2.6-r2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the logstash-fips package. Ruby JSON is a JSON implementation for Ruby. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GE08280",
"modified": "2026-04-08T08:04:46Z",
"published": "2026-04-09T01:01:38.909372Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GE08280.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2024-45993"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-31344"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61770"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61771"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61772"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-61919"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-67130"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-68161"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25500"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33210"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-22h5-pq3x-2gf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2xgq-q749-89fq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3m6g-2423-7cp3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4cx2-fc23-5wg6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-6xw4-3v39-52mm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72qj-48g4-5xgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2f4-jgmc-q2r5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-gh9q-2xrm-x6qv"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j288-q9x7-2f5v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j4pr-3wm6-xx2r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mhwm-jh88-3gjf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mr3q-g2mv-mr4q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-mxw3-3hh2-x2mh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-p543-xpfm-54cp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vc5p-v9hr-52mj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vqg5-3255-v292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w9pc-fmgc-vxvw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-whrj-4476-wvmp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-wpv5-97wm-hp9c"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-45993"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-31344"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61726"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61728"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67130"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68121"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33210"
}
],
"related": [],
"schema_version": "1.7.3",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ruby JSON is a JSON implementation for Ruby",
"upstream": [
"CVE-2024-45993",
"CVE-2025-31344",
"CVE-2025-48924",
"CVE-2025-61726",
"CVE-2025-61728",
"CVE-2025-61770",
"CVE-2025-61771",
"CVE-2025-61772",
"CVE-2025-61919",
"CVE-2025-67130",
"CVE-2025-68121",
"CVE-2025-68161",
"CVE-2026-25500",
"CVE-2026-33210",
"ghsa-22h5-pq3x-2gf2",
"ghsa-2xgq-q749-89fq",
"ghsa-3m6g-2423-7cp3",
"ghsa-4cx2-fc23-5wg6",
"ghsa-6xw4-3v39-52mm",
"ghsa-72qj-48g4-5xgx",
"ghsa-c2f4-jgmc-q2r5",
"ghsa-gh9q-2xrm-x6qv",
"ghsa-j288-q9x7-2f5v",
"ghsa-j4pr-3wm6-xx2r",
"ghsa-mhwm-jh88-3gjf",
"ghsa-mr3q-g2mv-mr4q",
"ghsa-mxw3-3hh2-x2mh",
"ghsa-p543-xpfm-54cp",
"ghsa-vc5p-v9hr-52mj",
"ghsa-vqg5-3255-v292",
"ghsa-w9pc-fmgc-vxvw",
"ghsa-whrj-4476-wvmp",
"ghsa-wpv5-97wm-hp9c"
]
}
CVE-2025-48924 (GCVE-0-2025-48924)
Vulnerability from cvelistv5 – Published: 2025-07-11 14:56 – Updated: 2025-11-04 22:06
VLAI?
EPSS
Title
Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs
Summary
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a
StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Severity ?
No CVSS data available.
CWE
- CWE-674 - Uncontrolled Recursion
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
| Vendor | Product | Version | |||||||
|---|---|---|---|---|---|---|---|---|---|
| Apache Software Foundation | Apache Commons Lang |
Affected:
2.0 , ≤ 2.6
(maven)
|
|||||||
|
|||||||||
Credits
OSS-Fuzz Issue 42522972
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-48924",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-07-14T16:36:59.432024Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-07-14T16:37:02.057Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2025-11-04T22:06:40.023Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/07/11/1"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unknown",
"packageName": "commons-lang:commons-lang",
"product": "Apache Commons Lang",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThanOrEqual": "2.6",
"status": "affected",
"version": "2.0",
"versionType": "maven"
}
]
},
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"defaultStatus": "unaffected",
"packageName": "org.apache.commons:commons-lang3",
"product": "Apache Commons Lang",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "3.18.0",
"status": "affected",
"version": "3.0",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "OSS-Fuzz Issue 42522972"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eUncontrolled Recursion vulnerability in Apache Commons Lang.\u003c/p\u003e\u003cp\u003eThis issue affects Apache Commons Lang: Starting with\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons-lang:commons-lang\u0026nbsp;\u003c/span\u003e2.0 to 2.6, and, from org.apache.\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ecommons:commons-lang3 3.0 before\u0026nbsp;\u003c/span\u003e3.18.0.\u003c/p\u003e\u003cp\u003eThe methods ClassUtils.getClass(...) can throw\u0026nbsp;StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u0026nbsp;cause an application to stop.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\u003c/p\u003e"
}
],
"value": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a \nStackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue."
}
],
"metrics": [
{
"other": {
"content": {
"text": "low"
},
"type": "Textual description of severity"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-674",
"description": "CWE-674 Uncontrolled Recursion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-07-11T14:56:58.049Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Apache Commons Lang, Apache Commons Lang: ClassUtils.getClass(...) can throw a StackOverflowError on very long inputs",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-48924",
"datePublished": "2025-07-11T14:56:58.049Z",
"dateReserved": "2025-05-28T15:06:51.476Z",
"dateUpdated": "2025-11-04T22:06:40.023Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61726 (GCVE-0-2025-61726)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:31
VLAI?
EPSS
Title
Memory exhaustion in query parameter parsing in net/url
Summary
The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | net/url |
Affected:
0 , < 1.24.12
(semver)
Affected: 1.25.0 , < 1.25.6 (semver) |
Credits
jub0bs
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61726",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T18:31:39.150633Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:31:59.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "net/url",
"product": "net/url",
"programRoutines": [
{
"name": "parseQuery"
},
{
"name": "ParseQuery"
},
{
"name": "URL.Query"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.6",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "jub0bs"
}
],
"descriptions": [
{
"lang": "en",
"value": "The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:30:31.215Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/736712"
},
{
"url": "https://go.dev/issue/77101"
},
{
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4341"
}
],
"title": "Memory exhaustion in query parameter parsing in net/url"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61726",
"datePublished": "2026-01-28T19:30:31.215Z",
"dateReserved": "2025-09-30T15:05:03.605Z",
"dateUpdated": "2026-01-29T18:31:59.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61770 (GCVE-0-2025-61770)
Vulnerability from cvelistv5 – Published: 2025-10-07 14:30 – Updated: 2025-10-07 15:43
VLAI?
EPSS
Title
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
Summary
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a preamble size limit (e.g., 16 KiB) or discard preamble data entirely. Workarounds include limiting total request body size at the proxy or web server level and monitoring memory and set per-process limits to prevent OOM conditions.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61770",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T15:23:07.044511Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:43:06.827Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.19"
},
{
"status": "affected",
"version": "\u003e= 3.1, \u003c 3.1.17"
},
{
"status": "affected",
"version": "\u003e= 3.2, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a preamble size limit (e.g., 16 KiB) or discard preamble data entirely. Workarounds include limiting total request body size at the proxy or web server level and monitoring memory and set per-process limits to prevent OOM conditions."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T14:42:04.268Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp"
},
{
"name": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"name": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"name": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
}
],
"source": {
"advisory": "GHSA-p543-xpfm-54cp",
"discovery": "UNKNOWN"
},
"title": "Rack\u0027s unbounded multipart preamble buffering enables DoS (memory exhaustion)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61770",
"datePublished": "2025-10-07T14:30:04.552Z",
"dateReserved": "2025-09-30T19:43:49.900Z",
"dateUpdated": "2025-10-07T15:43:06.827Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2024-45993 (GCVE-0-2024-45993)
Vulnerability from cvelistv5 – Published: 2024-09-30 00:00 – Updated: 2024-09-30 18:41
VLAI?
EPSS
Summary
Giflib Project v5.2.2 is vulnerable to a heap buffer overflow via gif2rgb.
Severity ?
6.5 (Medium)
CWE
- n/a
Assigner
References
{
"containers": {
"adp": [
{
"affected": [
{
"cpes": [
"cpe:2.3:a:giflib_project:giflib:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unknown",
"product": "giflib",
"vendor": "giflib_project",
"versions": [
{
"status": "affected",
"version": "5.2.2"
}
]
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2024-45993",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2024-09-30T18:38:19.787557Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T18:41:36.515Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n/a",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "n/a"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Giflib Project v5.2.2 is vulnerable to a heap buffer overflow via gif2rgb."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "n/a",
"lang": "en",
"type": "text"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-09-30T16:44:24.571Z",
"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"shortName": "mitre"
},
"references": [
{
"url": "http://giflib.com"
},
{
"url": "https://gitlab.com/mthandazo/project-pov"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca",
"assignerShortName": "mitre",
"cveId": "CVE-2024-45993",
"datePublished": "2024-09-30T00:00:00.000Z",
"dateReserved": "2024-09-11T00:00:00.000Z",
"dateUpdated": "2024-09-30T18:41:36.515Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61919 (GCVE-0-2025-61919)
Vulnerability from cvelistv5 – Published: 2025-10-10 19:22 – Updated: 2025-10-10 20:48
VLAI?
EPSS
Title
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61919",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-10T20:48:10.264464Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T20:48:20.240Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.20"
},
{
"status": "affected",
"version": "\u003e= 3.0, \u003c 3.1.18"
},
{
"status": "affected",
"version": "\u003e= 3.2, \u003c 3.2.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-10T19:22:42.454Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm"
},
{
"name": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881"
},
{
"name": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db"
},
{
"name": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f"
}
],
"source": {
"advisory": "GHSA-6xw4-3v39-52mm",
"discovery": "UNKNOWN"
},
"title": "Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61919",
"datePublished": "2025-10-10T19:22:42.454Z",
"dateReserved": "2025-10-03T22:21:59.615Z",
"dateUpdated": "2025-10-10T20:48:20.240Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68161 (GCVE-0-2025-68161)
Vulnerability from cvelistv5 – Published: 2025-12-18 20:47 – Updated: 2026-04-10 16:18
VLAI?
EPSS
Title
Apache Log4j Core: Missing TLS hostname verification in Socket appender
Summary
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
* The attacker is able to intercept or redirect network traffic between the client and the log receiver.
* The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Severity ?
CWE
- CWE-297 - Improper Validation of Certificate with Host Mismatch
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Apache Software Foundation | Apache Log4j Core |
Affected:
2.0-beta9 , < 2.25.3
(maven)
Affected: 3.0.0-alpha1 , ≤ 3.0.0-beta3 (maven) cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:* |
Credits
Samuli Leinonen
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-68161",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-12-18T21:34:24.735166Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-12-18T21:46:19.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
},
{
"providerMetadata": {
"dateUpdated": "2026-01-20T00:13:44.911Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/12/18/1"
},
{
"url": "https://lists.debian.org/debian-lts-announce/2026/01/msg00015.html"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://repo.maven.apache.org/maven2",
"cpes": [
"cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"packageName": "org.apache.logging.log4j:log4j-core",
"packageURL": "pkg:maven/org.apache.logging.log4j/log4j-core",
"product": "Apache Log4j Core",
"vendor": "Apache Software Foundation",
"versions": [
{
"lessThan": "2.25.3",
"status": "affected",
"version": "2.0-beta9",
"versionType": "maven"
},
{
"lessThanOrEqual": "3.0.0-beta3",
"status": "affected",
"version": "3.0.0-alpha1",
"versionType": "maven"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Samuli Leinonen"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "\u003cp\u003eThe Socket Appender in Apache Log4j Core versions \u003ccode\u003e2.0-beta9\u003c/code\u003e through \u003ccode\u003e2.25.2\u003c/code\u003e does not perform TLS hostname verification of the peer certificate, even when the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName\"\u003everifyHostName\u003c/a\u003e configuration attribute or the \u003ca target=\"_blank\" rel=\"nofollow\" href=\"https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName\"\u003elog4j2.sslVerifyHostName\u003c/a\u003e system property is set to \u003ccode\u003etrue\u003c/code\u003e.\u003c/p\u003e\u003cp\u003eThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\u003c/p\u003e\u003cul\u003e\u003cli\u003eThe attacker is able to intercept or redirect network traffic between the client and the log receiver.\u003c/li\u003e\u003cli\u003eThe attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured \u003cstrong\u003etrust store\u003c/strong\u003e (or by the default Java trust store if no custom trust store is configured).\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eUsers are advised to upgrade to Apache Log4j Core version \u003ccode\u003e2.25.3\u003c/code\u003e, which addresses this issue.\u003c/p\u003e\u003cp\u003eAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.\u003c/p\u003e"
}
],
"value": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName configuration attribute or the log4j2.sslVerifyHostName https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n * The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates."
}
],
"metrics": [
{
"other": {
"content": {
"text": "moderate"
},
"type": "Textual description of severity"
}
},
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "HIGH",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-297",
"description": "CWE-297 Improper Validation of Certificate with Host Mismatch",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T16:18:50.424Z",
"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"shortName": "apache"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/apache/logging-log4j2/pull/4002"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://logging.apache.org/security.html#CVE-2025-68161"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://logging.apache.org/cyclonedx/vdr.xml"
},
{
"tags": [
"related"
],
"url": "https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName"
},
{
"tags": [
"related"
],
"url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx"
}
],
"source": {
"discovery": "EXTERNAL"
},
"title": "Apache Log4j Core: Missing TLS hostname verification in Socket appender",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
"assignerShortName": "apache",
"cveId": "CVE-2025-68161",
"datePublished": "2025-12-18T20:47:49.123Z",
"dateReserved": "2025-12-16T11:30:53.875Z",
"dateUpdated": "2026-04-10T16:18:50.424Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-25500 (GCVE-0-2026-25500)
Vulnerability from cvelistv5 – Published: 2026-02-18 18:59 – Updated: 2026-02-18 19:42
VLAI?
EPSS
Title
Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Severity ?
5.4 (Medium)
CWE
- CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Assigner
References
| URL | Tags | |||||||
|---|---|---|---|---|---|---|---|---|
|
||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25500",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-18T19:42:04.480536Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T19:42:35.101Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.22"
},
{
"status": "affected",
"version": "\u003e= 3.0.0.beta1, \u003c 3.1.20"
},
{
"status": "affected",
"version": "\u003e= 3.2.0, \u003c 3.2.5"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.4,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "LOW",
"scope": "CHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "CWE-79: Improper Neutralization of Input During Web Page Generation (\u0027Cross-site Scripting\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-18T18:59:31.964Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp"
},
{
"name": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff"
}
],
"source": {
"advisory": "GHSA-whrj-4476-wvmp",
"discovery": "UNKNOWN"
},
"title": "Rack\u0027s Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-25500",
"datePublished": "2026-02-18T18:59:31.964Z",
"dateReserved": "2026-02-02T18:21:42.485Z",
"dateUpdated": "2026-02-18T19:42:35.101Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-31344 (GCVE-0-2025-31344)
Vulnerability from cvelistv5 – Published: 2025-04-14 07:49 – Updated: 2025-04-14 13:39
VLAI?
EPSS
Title
The giflib open-source component has a buffer overflow vulnerability
Summary
Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. This vulnerability is associated with program files gif2rgb.C.
This issue affects giflib: through 5.2.2.
Severity ?
7.3 (High)
CWE
- CWE-122 - Heap-based Buffer Overflow
Assigner
References
Credits
Jiaxuan Song(m202372152@hust.edu.cn)
bale.cen (cenxianlong@huawei.com)
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2025-04-14T08:05:04.085Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/07/3"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/07/4"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/07/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/07/6"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/08/1"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/5"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/09/7"
},
{
"url": "http://www.openwall.com/lists/oss-security/2025/04/10/1"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-31344",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-04-14T13:36:32.164077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T13:39:00.299Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://gitee.com/src-openeuler",
"defaultStatus": "unaffected",
"packageName": "giflib",
"platforms": [
"Linux"
],
"product": "giflib",
"programFiles": [
"gif2rgb.c"
],
"repo": "https://gitee.com/src-openeuler/giflib",
"vendor": "openEuler",
"versions": [
{
"changes": [
{
"at": "2c10c1abf8ff2e88b1da04e050bb721487b73fa3",
"status": "affected"
}
],
"lessThanOrEqual": "5.2.2",
"status": "affected",
"version": "0",
"versionType": "git"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Jiaxuan Song(m202372152@hust.edu.cn)"
},
{
"lang": "en",
"type": "finder",
"value": "bale.cen (cenxianlong@huawei.com)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux.\u003cp\u003e This vulnerability is associated with program files \u003ctt\u003egif2rgb.C\u003c/tt\u003e.\u003c/p\u003e\u003cp\u003eThis issue affects giflib: through 5.2.2.\u003c/p\u003e"
}
],
"value": "Heap-based Buffer Overflow vulnerability in openEuler giflib on Linux. This vulnerability is associated with program files gif2rgb.C.\n\nThis issue affects giflib: through 5.2.2."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "CWE-122 Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-04-14T07:49:36.597Z",
"orgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"shortName": "openEuler"
},
"references": [
{
"url": "https://www.openeuler.org/zh/security/security-bulletins/detail/?id=openEuler-SA-2025-1292"
},
{
"url": "https://gitee.com/src-openeuler/giflib/pulls/54"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "The giflib open-source component has a buffer overflow vulnerability",
"x_generator": {
"engine": "Vulnogram 0.1.0-dev"
}
}
},
"cveMetadata": {
"assignerOrgId": "7e1ac599-2767-43fa-b3ea-f10178cc98f2",
"assignerShortName": "openEuler",
"cveId": "CVE-2025-31344",
"datePublished": "2025-04-14T07:49:36.597Z",
"dateReserved": "2025-03-28T07:29:55.637Z",
"dateUpdated": "2025-04-14T13:39:00.299Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-68121 (GCVE-0-2025-68121)
Vulnerability from cvelistv5 – Published: 2026-02-05 17:48 – Updated: 2026-02-20 16:05
VLAI?
EPSS
Title
Unexpected session resumption in crypto/tls
Summary
During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake.
Severity ?
7.4 (High)
CWE
- CWE-295 - Improper Certificate Validation
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | crypto/tls |
Affected:
0 , < 1.24.13
(semver)
Affected: 1.25.0-0 , < 1.25.7 (semver) Affected: 1.26.0-rc.1 , < 1.26.0-rc.3 (semver) |
Credits
Coia Prant (github.com/rbqvq)
Go Security Team
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 7.4,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-68121",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-20T16:05:03.924102Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-295",
"description": "CWE-295 Improper Certificate Validation",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-20T16:05:07.679Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "crypto/tls",
"product": "crypto/tls",
"programRoutines": [
{
"name": "Conn.handshakeContext"
},
{
"name": "Conn.Handshake"
},
{
"name": "Conn.HandshakeContext"
},
{
"name": "Conn.Read"
},
{
"name": "Conn.Write"
},
{
"name": "Dial"
},
{
"name": "DialWithDialer"
},
{
"name": "Dialer.Dial"
},
{
"name": "Dialer.DialContext"
},
{
"name": "QUICConn.Start"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.13",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.7",
"status": "affected",
"version": "1.25.0-0",
"versionType": "semver"
},
{
"lessThan": "1.26.0-rc.3",
"status": "affected",
"version": "1.26.0-rc.1",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Coia Prant (github.com/rbqvq)"
},
{
"lang": "en",
"value": "Go Security Team"
}
],
"descriptions": [
{
"lang": "en",
"value": "During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-295: Improper Certificate Validation",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-02-05T17:48:44.141Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://groups.google.com/g/golang-announce/c/K09ubi9FQFk"
},
{
"url": "https://go.dev/cl/737700"
},
{
"url": "https://go.dev/issue/77217"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4337"
}
],
"title": "Unexpected session resumption in crypto/tls"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-68121",
"datePublished": "2026-02-05T17:48:44.141Z",
"dateReserved": "2025-12-15T16:48:04.451Z",
"dateUpdated": "2026-02-20T16:05:07.679Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61728 (GCVE-0-2025-61728)
Vulnerability from cvelistv5 – Published: 2026-01-28 19:30 – Updated: 2026-01-29 18:30
VLAI?
EPSS
Title
Excessive CPU consumption when building archive index in archive/zip
Summary
archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive.
Severity ?
6.5 (Medium)
CWE
- CWE-407 - Inefficient Algorithmic Complexity
Assigner
References
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Go standard library | archive/zip |
Affected:
0 , < 1.24.12
(semver)
Affected: 1.25.0 , < 1.25.6 (semver) |
Credits
Jakub Ciolek
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2026-01-28T20:08:22.055Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"url": "http://www.openwall.com/lists/oss-security/2026/01/15/4"
}
],
"title": "CVE Program Container"
},
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "REQUIRED",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2025-61728",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-01-29T18:29:58.068724Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-01-29T18:30:24.487Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://pkg.go.dev",
"defaultStatus": "unaffected",
"packageName": "archive/zip",
"product": "archive/zip",
"programRoutines": [
{
"name": "Reader.initFileList"
},
{
"name": "Reader.Open"
}
],
"vendor": "Go standard library",
"versions": [
{
"lessThan": "1.24.12",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThan": "1.25.6",
"status": "affected",
"version": "1.25.0",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"value": "Jakub Ciolek"
}
],
"descriptions": [
{
"lang": "en",
"value": "archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive."
}
],
"problemTypes": [
{
"descriptions": [
{
"description": "CWE-407: Inefficient Algorithmic Complexity",
"lang": "en"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-01-28T19:30:31.354Z",
"orgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"shortName": "Go"
},
"references": [
{
"url": "https://go.dev/cl/736713"
},
{
"url": "https://go.dev/issue/77102"
},
{
"url": "https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc"
},
{
"url": "https://pkg.go.dev/vuln/GO-2026-4342"
}
],
"title": "Excessive CPU consumption when building archive index in archive/zip"
}
},
"cveMetadata": {
"assignerOrgId": "1bb62c36-49e3-4200-9d77-64a1400537cc",
"assignerShortName": "Go",
"cveId": "CVE-2025-61728",
"datePublished": "2026-01-28T19:30:31.354Z",
"dateReserved": "2025-09-30T15:05:03.605Z",
"dateUpdated": "2026-01-29T18:30:24.487Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2025-61771 (GCVE-0-2025-61771)
Vulnerability from cvelistv5 – Published: 2025-10-07 14:42 – Updated: 2025-10-07 17:52
VLAI?
EPSS
Title
Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
Summary
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginx `client_max_body_size`) and validating and rejecting unusually large form fields at the application level.
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61771",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T17:51:58.348077Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T17:52:09.399Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.19"
},
{
"status": "affected",
"version": "\u003e= 3.1, \u003c 3.1.17"
},
{
"status": "affected",
"version": "\u003e= 3.2, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a reasonable size cap for non-file fields (e.g., 2 MiB). Workarounds include restricting maximum request body size at the web-server or proxy layer (e.g., Nginx `client_max_body_size`) and validating and rejecting unusually large form fields at the application level."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T14:42:53.366Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw"
},
{
"name": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"name": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"name": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
}
],
"source": {
"advisory": "GHSA-w9pc-fmgc-vxvw",
"discovery": "UNKNOWN"
},
"title": "Rack\u0027s multipart parser buffers large non\u2011file fields entirely in memory, enabling DoS (memory exhaustion)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61771",
"datePublished": "2025-10-07T14:42:53.366Z",
"dateReserved": "2025-09-30T19:43:49.900Z",
"dateUpdated": "2025-10-07T17:52:09.399Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2025-61772 (GCVE-0-2025-61772)
Vulnerability from cvelistv5 – Published: 2025-10-07 15:02 – Updated: 2025-10-07 17:51
VLAI?
EPSS
Title
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
Summary
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`).
Severity ?
7.5 (High)
CWE
- CWE-400 - Uncontrolled Resource Consumption
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2025-61772",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-10-07T17:51:19.811672Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T17:51:26.246Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "rack",
"vendor": "rack",
"versions": [
{
"status": "affected",
"version": "\u003c 2.2.19"
},
{
"status": "affected",
"version": "\u003e= 3.1, \u003c 3.1.17"
},
{
"status": "affected",
"version": "\u003e= 3.2, \u003c 3.2.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part\u2019s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`)."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-400",
"description": "CWE-400: Uncontrolled Resource Consumption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-10-07T15:02:09.895Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c"
},
{
"name": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"name": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"name": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
}
],
"source": {
"advisory": "GHSA-wpv5-97wm-hp9c",
"discovery": "UNKNOWN"
},
"title": "Rack\u0027s multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2025-61772",
"datePublished": "2025-10-07T15:02:09.895Z",
"dateReserved": "2025-09-30T19:43:49.901Z",
"dateUpdated": "2025-10-07T17:51:26.246Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2026-33210 (GCVE-0-2026-33210)
Vulnerability from cvelistv5 – Published: 2026-03-20 22:57 – Updated: 2026-03-23 21:41
VLAI?
EPSS
Title
Ruby JSON has a format string injection vulnerability
Summary
Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2.
Severity ?
CWE
- CWE-134 - Use of Externally-Controlled Format String
Assigner
References
| URL | Tags | ||||
|---|---|---|---|---|---|
|
|||||
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33210",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-23T21:01:54.342811Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-23T21:41:29.624Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "json",
"vendor": "ruby",
"versions": [
{
"status": "affected",
"version": "\u003e= 2.14.0, \u003c 2.15.2.1"
},
{
"status": "affected",
"version": "\u003e= 2.16.0, \u003c 2.17.1.2"
},
{
"status": "affected",
"version": "\u003e= 2.18.0, \u003c 2.19.2"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Ruby JSON is a JSON implementation for Ruby. From version 2.14.0 to before versions 2.15.2.1, 2.17.1.2, and 2.19.2, a format string injection vulnerability can lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents. This issue has been patched in versions 2.15.2.1, 2.17.1.2, and 2.19.2."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.3,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "HIGH",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "NONE"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-134",
"description": "CWE-134: Use of Externally-Controlled Format String",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T22:57:08.758Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3"
}
],
"source": {
"advisory": "GHSA-3m6g-2423-7cp3",
"discovery": "UNKNOWN"
},
"title": "Ruby JSON has a format string injection vulnerability"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33210",
"datePublished": "2026-03-20T22:57:08.758Z",
"dateReserved": "2026-03-17T23:23:58.313Z",
"dateUpdated": "2026-03-23T21:41:29.624Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
GHSA-3M6G-2423-7CP3
Vulnerability from github – Published: 2026-03-19 12:45 – Updated: 2026-03-25 18:24
VLAI?
Summary
Ruby JSON has a format string injection vulnerability
Details
Impact
A format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the allow_duplicate_key: false parsing option is used to parse user supplied documents.
This option isn't the default, if you didn't opt-in to use it, you are not impacted.
Patches
Patched in 2.19.2.
Workarounds
The issue can be avoided by not using the allow_duplicate_key: false parsing option.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "json"
},
"ranges": [
{
"events": [
{
"introduced": "2.18.0"
},
{
"fixed": "2.19.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "json"
},
"ranges": [
{
"events": [
{
"introduced": "2.16.0"
},
{
"fixed": "2.17.1.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "json"
},
"ranges": [
{
"events": [
{
"introduced": "2.14.0"
},
{
"fixed": "2.15.2.1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33210"
],
"database_specific": {
"cwe_ids": [
"CWE-134"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T12:45:53Z",
"nvd_published_at": "2026-03-20T23:16:46Z",
"severity": "HIGH"
},
"details": "### Impact\n\nA format string injection vulnerability than that lead to denial of service attacks or information disclosure, when the `allow_duplicate_key: false` parsing option is used to parse user supplied documents. \n\nThis option isn\u0027t the default, if you didn\u0027t opt-in to use it, you are not impacted.\n\n### Patches\n\nPatched in `2.19.2`.\n\n### Workarounds\n\nThe issue can be avoided by not using the `allow_duplicate_key: false` parsing option.",
"id": "GHSA-3m6g-2423-7cp3",
"modified": "2026-03-25T18:24:34Z",
"published": "2026-03-19T12:45:53Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/json/security/advisories/GHSA-3m6g-2423-7cp3"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33210"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/json"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/json/CVE-2026-33210.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Ruby JSON has a format string injection vulnerability"
}
GHSA-GH9Q-2XRM-X6QV
Vulnerability from github – Published: 2025-03-03 20:53 – Updated: 2025-11-04 00:32
VLAI?
Summary
CGI has Denial of Service (DoS) potential in Cookie.parse
Details
There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
Details
CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to lio346 for discovering this issue. Also thanks to mame for fixing this vulnerability.
Severity ?
5.8 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "cgi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "cgi"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.6"
},
{
"fixed": "0.3.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.3.6"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "cgi"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27219"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T20:53:43Z",
"nvd_published_at": "2025-03-04T00:15:31Z",
"severity": "MODERATE"
},
"details": "There is a possibility for DoS by in the cgi gem.\nThis vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.\n\n## Details\n\nCGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.\n\nPlease update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.\n\n## Affected versions\n\ncgi gem versions \u003c= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.\n\n## Credits\n\nThanks to lio346 for discovering this issue.\nAlso thanks to mame for fixing this vulnerability.",
"id": "GHSA-gh9q-2xrm-x6qv",
"modified": "2025-11-04T00:32:21Z",
"published": "2025-03-03T20:53:43Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27219"
},
{
"type": "WEB",
"url": "https://github.com/ruby/cgi/pull/52"
},
{
"type": "WEB",
"url": "https://github.com/ruby/cgi/pull/53"
},
{
"type": "WEB",
"url": "https://github.com/ruby/cgi/pull/54"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2936778"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/cgi"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27219"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CGI has Denial of Service (DoS) potential in Cookie.parse"
}
GHSA-72QJ-48G4-5XGX
Vulnerability from github – Published: 2025-05-07 17:32 – Updated: 2026-01-21 16:54
VLAI?
Summary
JRuby-OpenSSL has hostname verification disabled by default
Details
Summary
When verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present any valid cert for a completely different domain they own, and JRuby wouldn't complain.
Details
n/a
PoC
An example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with certificate verify failed (hostname mismatch), but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3
require "net/http"
require "openssl"
uri = URI("https://bad.substitutealert.com/")
https = Net::HTTP.new(uri.host, uri.port)
https.use_ssl = true
https.verify_mode = OpenSSL::SSL::VERIFY_PEER
body = https.start { https.get(uri.request_uri).body }
puts body
Impact
Anybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "rubygems:jruby-openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.1"
},
{
"fixed": "0.15.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby"
},
"ranges": [
{
"events": [
{
"introduced": "10.0.0.0"
},
{
"fixed": "10.0.0.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.jruby:jruby"
},
"ranges": [
{
"events": [
{
"introduced": "9.3.4.0"
},
{
"fixed": "9.4.12.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "jruby-openssl"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.1"
},
{
"fixed": "0.15.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-46551"
],
"database_specific": {
"cwe_ids": [
"CWE-295",
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-05-07T17:32:54Z",
"nvd_published_at": "2025-05-07T17:15:58Z",
"severity": "MODERATE"
},
"details": "### Summary\nWhen verifying SSL certificates, jruby-openssl is not verifying that the hostname presented in the certificate matches the one we are trying to connect to, meaning a MITM could just present _any_ valid cert for a completely different domain they own, and JRuby wouldn\u0027t complain. \n\n### Details\nn/a\n\n### PoC\nAn example domain bad.substitutealert.com was created to present the a certificate for the domain s8a.me. The following script run in IRB in CRuby 3.4.3 will fail with `certificate verify failed (hostname mismatch)`, but will work just fine in JRuby 10.0.0.0 and JRuby 9.4.2.0, both of which use jruby-openssl version 0.15.3\n\n```ruby\nrequire \"net/http\"\nrequire \"openssl\"\n\nuri = URI(\"https://bad.substitutealert.com/\")\nhttps = Net::HTTP.new(uri.host, uri.port)\nhttps.use_ssl = true\nhttps.verify_mode = OpenSSL::SSL::VERIFY_PEER\n\nbody = https.start { https.get(uri.request_uri).body }\nputs body\n```\n\n### Impact\nAnybody using JRuby to make requests of external APIs, or scraping the web, that depends on https to connect securely",
"id": "GHSA-72qj-48g4-5xgx",
"modified": "2026-01-21T16:54:31Z",
"published": "2025-05-07T17:32:54Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/jruby/jruby-openssl/security/advisories/GHSA-72qj-48g4-5xgx"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46551"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby-openssl/commit/31a56d690ce9b8af47af09aaaf809081949ed285"
},
{
"type": "WEB",
"url": "https://github.com/jruby/jruby-openssl/commit/b1fc5d645c0d90891b8865925ac1c15e3f15a055"
},
{
"type": "PACKAGE",
"url": "https://github.com/jruby/jruby-openssl"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jruby-openssl/CVE-2025-46551.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
"type": "CVSS_V4"
}
],
"summary": "JRuby-OpenSSL has hostname verification disabled by default"
}
GHSA-MXW3-3HH2-X2MH
Vulnerability from github – Published: 2026-02-17 16:14 – Updated: 2026-02-24 16:06
VLAI?
Summary
Rack has a Directory Traversal via Rack:Directory
Details
Summary
Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
Details
In directory.rb, File.expand_path(File.join(root, path_info)).start_with?(root) does not enforce a path boundary. If the server root is /var/www/root, a path like /var/www/root_backup passes the check because it shares the same prefix, so Rack::Directory will list that directory also.
Impact
Information disclosure via directory listing outside the configured root when Rack::Directory is exposed to untrusted clients and a directory shares the root prefix (e.g., public2, www_backup).
Mitigation
- Update to a patched version of Rack that correctly checks the root prefix.
- Don't name directories with the same prefix as one which is exposed via
Rack::Directory.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.beta1"
},
{
"fixed": "3.1.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-22860"
],
"database_specific": {
"cwe_ids": [
"CWE-22",
"CWE-548"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T16:14:11Z",
"nvd_published_at": "2026-02-18T19:21:43Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.\n\n## Details\n\nIn `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. \n\n## Impact\n\nInformation disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).\n\n## Mitigation\n\n* Update to a patched version of Rack that correctly checks the root prefix.\n* Don\u0027t name directories with the same prefix as one which is exposed via `Rack::Directory`.",
"id": "GHSA-mxw3-3hh2-x2mh",
"modified": "2026-02-24T16:06:28Z",
"published": "2026-02-17T16:14:11Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22860"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rack has a Directory Traversal via Rack:Directory"
}
GHSA-MHWM-JH88-3GJF
Vulnerability from github – Published: 2025-03-03 22:05 – Updated: 2025-11-04 00:32
VLAI?
Summary
CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement
Details
There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.
Details
The regular expression used in CGI::Util#escapeElement is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.
This vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to svalkanov for discovering this issue. Also thanks to nobu for fixing this vulnerability.
Severity ?
4.0 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "cgi"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.5.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "cgi"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.6"
},
{
"fixed": "0.3.7"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.3.6"
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "cgi"
},
"ranges": [
{
"events": [
{
"introduced": "0.4.0"
},
{
"fixed": "0.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27220"
],
"database_specific": {
"cwe_ids": [
"CWE-1333"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T22:05:08Z",
"nvd_published_at": "2025-03-04T00:15:31Z",
"severity": "MODERATE"
},
"details": "There is a possibility for Regular expression Denial of Service (ReDoS) by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27220. We recommend upgrading the cgi gem.\n\n## Details\n\nThe regular expression used in `CGI::Util#escapeElement` is vulnerable to ReDoS. The crafted input could lead to a high CPU consumption.\n\nThis vulnerability only affects Ruby 3.1 and 3.2. If you are using these versions, please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.\n\n## Affected versions\n\ncgi gem versions \u003c= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.\n\n## Credits\n\nThanks to svalkanov for discovering this issue.\nAlso thanks to nobu for fixing this vulnerability.",
"id": "GHSA-mhwm-jh88-3gjf",
"modified": "2025-11-04T00:32:21Z",
"published": "2025-03-03T22:05:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27220"
},
{
"type": "WEB",
"url": "https://github.com/ruby/cgi/pull/52"
},
{
"type": "WEB",
"url": "https://github.com/ruby/cgi/pull/53"
},
{
"type": "WEB",
"url": "https://github.com/ruby/cgi/pull/54"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2890322"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/cgi"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27220"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "CGI has Regular Expression Denial of Service (ReDoS) potential in Util#escapeElement"
}
GHSA-22H5-PQ3X-2GF2
Vulnerability from github – Published: 2025-03-03 22:07 – Updated: 2025-11-04 00:32
VLAI?
Summary
URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+
Details
There is a possibility for userinfo leakage by in the uri gem. This vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.
Details
The methods URI#join, URI#merge, and URI#+ retained userinfo, such as user:password, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.
Please update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.
Affected versions
uri gem versions < 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.
Credits
Thanks to Tsubasa Irisawa (lambdasawa) for discovering this issue. Also thanks to nobu for additional fixes of this vulnerability.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.11.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0.12.0"
},
{
"fixed": "0.12.4"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-27221"
],
"database_specific": {
"cwe_ids": [
"CWE-200",
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-03-03T22:07:53Z",
"nvd_published_at": "2025-03-04T00:15:31Z",
"severity": "LOW"
},
"details": "There is a possibility for userinfo leakage by in the uri gem.\nThis vulnerability has been assigned the CVE identifier CVE-2025-27221. We recommend upgrading the uri gem.\n\n## Details\n\nThe methods `URI#join`, `URI#merge`, and `URI#+` retained userinfo, such as `user:password`, even after the host is replaced. When generating a URL to a malicious host from a URL containing secret userinfo using these methods, and having someone access that URL, an unintended userinfo leak could occur.\n\nPlease update URI gem to version 0.11.3, 0.12.4, 0.13.2, 1.0.3 or later.\n\n## Affected versions\n\nuri gem versions \u003c 0.11.3, 0.12.0 to 0.12.3, 0.13.0, 0.13.1 and 1.0.0 to 1.0.2.\n\n## Credits\n\nThanks to Tsubasa Irisawa (lambdasawa) for discovering this issue.\nAlso thanks to nobu for additional fixes of this vulnerability.",
"id": "GHSA-22h5-pq3x-2gf2",
"modified": "2025-11-04T00:32:21Z",
"published": "2025-03-03T22:07:53Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27221"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/pull/154"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/pull/155"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/pull/156"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/pull/157"
},
{
"type": "WEB",
"url": "https://hackerone.com/reports/2957667"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/uri"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-27221.yml"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/05/msg00015.html"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-27221"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/02/26/security-advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:N/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "URI allows for userinfo Leakage in URI#join, URI#merge, and URI#+"
}
GHSA-4CX2-FC23-5WG6
Vulnerability from github – Published: 2025-08-13 12:31 – Updated: 2025-10-17 13:58
VLAI?
Summary
Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation
Details
Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .
This issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcpkix-jdk15on"
},
"ranges": [
{
"events": [
{
"introduced": "1.44"
},
{
"fixed": "1.79"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcpkix-jdk15to18"
},
"ranges": [
{
"events": [
{
"introduced": "1.44"
},
{
"fixed": "1.79"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcpkix-jdk18on"
},
"ranges": [
{
"events": [
{
"introduced": "1.44"
},
{
"fixed": "1.79"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcpkix-fips"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.8"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.0.7"
},
"package": {
"ecosystem": "Maven",
"name": "org.bouncycastle:bcpkix-fips"
},
"ranges": [
{
"events": [
{
"introduced": "2.0.0"
},
{
"fixed": "2.0.8"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-8916"
],
"database_specific": {
"cwe_ids": [
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2025-08-13T22:52:42Z",
"nvd_published_at": "2025-08-13T10:15:27Z",
"severity": "MODERATE"
},
"details": "Allocation of Resources Without Limits or Throttling vulnerability in Legion of the Bouncy Castle Inc. Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation. This vulnerability is associated with program files https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertP... https://github.Com/bcgit/bc-java/blob/main/pkix/src/main/java/org/bouncycastle/pkix/jcajce/PKIXCertPathReviewer.java , https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathRevi... https://github.Com/bcgit/bc-java/blob/main/prov/src/main/java/org/bouncycastle/x509/PKIXCertPathReviewer.java .\n\nThis issue affects Bouncy Castle for Java: from BC 1.44 through 1.78, from BCPKIX FIPS 1.0.0 through 1.0.7, from BCPKIX FIPS 2.0.0 through 2.0.7.",
"id": "GHSA-4cx2-fc23-5wg6",
"modified": "2025-10-17T13:58:30Z",
"published": "2025-08-13T12:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8916"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/310b30a4fbf36d13f6cc201ffa7771715641e67e"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/commit/ff444a479942d88de64004dc82c3ee32a9e9075a"
},
{
"type": "PACKAGE",
"url": "https://github.com/bcgit/bc-java"
},
{
"type": "WEB",
"url": "https://github.com/bcgit/bc-java/wiki/CVE%E2%80%902025%E2%80%908916"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/S:P/R:U/RE:M/U:Amber",
"type": "CVSS_V4"
}
],
"summary": "Bouncy Castle for Java bcpkix, bcprov, bcpkix-fips on All (API modules) allows Excessive Allocation"
}
GHSA-J4PR-3WM6-XX2R
Vulnerability from github – Published: 2025-12-30 21:07 – Updated: 2025-12-30 21:07
VLAI?
Summary
URI Credential Leakage Bypass over CVE-2025-27221
Details
Impact
In affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.
When using the + operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.
The vulnerability affects the uri gem bundled with the following Ruby series:
- 0.12.4 and earlier (bundled in Ruby 3.2 series)
- 0.13.2 and earlier (bundled in Ruby 3.3 series)
- 1.0.3 and earlier (bundled in Ruby 3.4 series)
Patches
Upgrade to 0.12.5, 0.13.3 or 1.0.4
References
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/
- https://hackerone.com/reports/2957667
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.12.5"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "0.13.0"
},
{
"fixed": "0.13.3"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "uri"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0"
},
{
"fixed": "1.0.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61594"
],
"database_specific": {
"cwe_ids": [
"CWE-212"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-30T21:07:14Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "### Impact\n\nIn affected URI version, a bypass exists for the fix to CVE-2025-27221 that can expose user credentials.\n\nWhen using the `+` operator to combine URIs, sensitive information like passwords from the original URI can be leaked, violating RFC3986 and making applications vulnerable to credential exposure.\n\nThe vulnerability affects the `uri` gem bundled with the following Ruby series:\n\n* 0.12.4 and earlier (bundled in Ruby 3.2 series)\n* 0.13.2 and earlier (bundled in Ruby 3.3 series)\n* 1.0.3 and earlier (bundled in Ruby 3.4 series)\n\n### Patches\n\nUpgrade to 0.12.5, 0.13.3 or 1.0.4\n\n### References\n\n* https://www.ruby-lang.org/en/news/2025/02/26/security-advisories/\n* https://hackerone.com/reports/2957667",
"id": "GHSA-j4pr-3wm6-xx2r",
"modified": "2025-12-30T21:07:15Z",
"published": "2025-12-30T21:07:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/uri/commit/20157e3e29b125ff41f1d9662e2e3b1d066f5902"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/commit/7e521b2da0833d964aab43019e735aea674e1c2c"
},
{
"type": "WEB",
"url": "https://github.com/ruby/uri/commit/d3116ca66a3b1c97dc7577f9d2d6e353f391cd6a"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/uri"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/uri/CVE-2025-61594.yml"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "URI Credential Leakage Bypass over CVE-2025-27221"
}
GHSA-VC5P-V9HR-52MJ
Vulnerability from github – Published: 2025-12-18 21:31 – Updated: 2025-12-19 22:08
VLAI?
Summary
Apache Log4j does not verify the TLS hostname in its Socket Appender
Details
The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the verifyHostName configuration attribute or the log4j2.sslVerifyHostName system property is set to true.
This issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:
- The attacker is able to intercept or redirect network traffic between the client and the log receiver.
- The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender’s configured trust store (or by the default Java trust store if no custom trust store is configured).
Users are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.
As an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.logging.log4j:log4j-core"
},
"ranges": [
{
"events": [
{
"introduced": "2.0-beta9"
},
{
"fixed": "2.25.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-68161"
],
"database_specific": {
"cwe_ids": [
"CWE-297"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-19T22:08:02Z",
"nvd_published_at": "2025-12-18T21:15:57Z",
"severity": "MODERATE"
},
"details": "The Socket Appender in Apache Log4j Core versions 2.0-beta9 through 2.25.2 does not perform TLS hostname verification of the peer certificate, even when the [verifyHostName](https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName) configuration attribute or the [log4j2.sslVerifyHostName](https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName) system property is set to true.\n\nThis issue may allow a man-in-the-middle attacker to intercept or redirect log traffic under the following conditions:\n\n * The attacker is able to intercept or redirect network traffic between the client and the log receiver.\n * The attacker can present a server certificate issued by a certification authority trusted by the Socket Appender\u2019s configured trust store (or by the default Java trust store if no custom trust store is configured).\n\n\nUsers are advised to upgrade to Apache Log4j Core version 2.25.3, which addresses this issue.\n\nAs an alternative mitigation, the Socket Appender may be configured to use a private or restricted trust root to limit the set of trusted certificates.",
"id": "GHSA-vc5p-v9hr-52mj",
"modified": "2025-12-19T22:08:02Z",
"published": "2025-12-18T21:31:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68161"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2/pull/4002"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2/commit/3b93748497e1adbbd027fda8a5e7268ec5d0d578"
},
{
"type": "WEB",
"url": "https://github.com/apache/logging-log4j2"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/xr33kyxq3sl67lwb61ggvm1fzc8k7dvx"
},
{
"type": "WEB",
"url": "https://logging.apache.org/cyclonedx/vdr.xml"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/appenders/network.html#SslConfiguration-attr-verifyHostName"
},
{
"type": "WEB",
"url": "https://logging.apache.org/log4j/2.x/manual/systemproperties.html#log4j2.sslVerifyHostName"
},
{
"type": "WEB",
"url": "https://logging.apache.org/security.html#CVE-2025-68161"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/12/18/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:L/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Apache Log4j does not verify the TLS hostname in its Socket Appender"
}
GHSA-2XGQ-Q749-89FQ
Vulnerability from github – Published: 2025-12-18 18:51 – Updated: 2025-12-20 05:35
VLAI?
Summary
AWS SDK for Ruby's S3 Encryption Client has a Key Commitment Issue
Details
Summary
S3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3.
When the encrypted data key (EDK) is stored in an "Instruction File" instead of S3's metadata record, the EDK is exposed to an "Invisible Salamanders" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key.
Impact
Background - Key Commitment
There is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as "key commitment", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message.
In older versions of S3EC, when customers are also using a feature called "Instruction File" to store EDKs, key commitment is not implemented because multiple EDKs could be associated to an underlying encrypted message object. For such customers an attack that leverages the lack of key commitment is possible. A bad actor would need two things to leverage this issue: (i) the ability to create a separate, rogue, EDK that will also decrypt the underlying object to produce desired plaintext, and (ii) permission to upload a new instruction file to the S3 bucket to replace the existing instruction file placed there by the user using the S3C. Any future attempt to decrypt the underlying encrypted message with the S3EC will unwittingly use the rogue EDK to produce a valid plaintext message.
Impacted versions: <= 1.207.0
Patches
We are introducing the concept of "key commitment" to S3EC where the EDK is cryptographically bound to the ciphertext in order to address this issue. In order to maintain compatibility for in-flight messages we are releasing the fix in two versions. A code-compatible minor version that can read messages with key-commitment but not write them, and a new major version that can both read and write messages with key-commitment. For maximum safety customers are asked to upgrade to the latest major version: 1.208.0 or later.
Workarounds
There are no workarounds, please upgrade to the suggested version of S3EC.
References
If customers have any questions or comments about this advisory, AWS SDK for Ruby asks that they contact AWS Security via the issue reporting page or directly via email to aws-security@amazon.com. Please do not create a public GitHub issue.
Severity ?
5.3 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "aws-sdk-s3"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.208.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-14762"
],
"database_specific": {
"cwe_ids": [
"CWE-327"
],
"github_reviewed": true,
"github_reviewed_at": "2025-12-18T18:51:50Z",
"nvd_published_at": "2025-12-17T21:15:53Z",
"severity": "MODERATE"
},
"details": "## Summary\n\nS3 Encryption Client for Ruby is an open-source client-side encryption library used to facilitate writing and reading encrypted records to S3. \n\nWhen the encrypted data key (EDK) is stored in an \"Instruction File\" instead of S3\u0027s metadata record, the EDK is exposed to an \"Invisible Salamanders\" attack (https://eprint.iacr.org/2019/016), which could allow the EDK to be replaced with a new key. \n\n\n\n## Impact\n\n### Background - Key Commitment\n\nThere is a cryptographic property whereby under certain conditions, a single ciphertext can be decrypted into 2 different plaintexts by using different encryption keys. To address this issue, strong encryption schemes use what is known as \"key commitment\", a process by which an encrypted message can only be decrypted by one key; the key used to originally encrypt the message. \n\nIn older versions of S3EC, when customers are also using a feature called \"Instruction File\" to store EDKs, key commitment is not implemented because multiple EDKs could be associated to an underlying encrypted message object. For such customers an attack that leverages the lack of key commitment is possible. A bad actor would need two things to leverage this issue: (i) the ability to create a separate, rogue, EDK that will also decrypt the underlying object to produce desired plaintext, and (ii) permission to upload a new instruction file to the S3 bucket to replace the existing instruction file placed there by the user using the S3C. Any future attempt to decrypt the underlying encrypted message with the S3EC will unwittingly use the rogue EDK to produce a valid plaintext message.\n\nImpacted versions: \u003c= 1.207.0\n\n\n\n## Patches\n\nWe are introducing the concept of \"key commitment\" to S3EC where the EDK is cryptographically bound to the ciphertext in order to address this issue. In order to maintain compatibility for in-flight messages we are releasing the fix in two versions. A code-compatible minor version that can read messages with key-commitment but not write them, and a new major version that can both read and write messages with key-commitment. For maximum safety customers are asked to upgrade to the latest major version: 1.208.0 or later.\n\n\n\nWorkarounds\n\nThere are no workarounds, please upgrade to the suggested version of S3EC.\n\nReferences\n\nIf customers have any questions or comments about this advisory, AWS SDK for Ruby asks that they contact AWS Security via the issue reporting page or directly via email to [aws-security@amazon.com](mailto:aws-security@amazon.com). Please do not create a public GitHub issue.",
"id": "GHSA-2xgq-q749-89fq",
"modified": "2025-12-20T05:35:01Z",
"published": "2025-12-18T18:51:50Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/aws/aws-sdk-ruby/security/advisories/GHSA-2xgq-q749-89fq"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14762"
},
{
"type": "WEB",
"url": "https://github.com/aws/aws-sdk-ruby/commit/b633ba10cd2fbc4cc770b76ab531ed9647654044"
},
{
"type": "WEB",
"url": "https://aws.amazon.com/security/security-bulletins/AWS-2025-032"
},
{
"type": "PACKAGE",
"url": "https://github.com/aws/aws-sdk-ruby"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/aws-sdk-s3/CVE-2025-14762.yml"
},
{
"type": "WEB",
"url": "https://rubygems.org/gems/aws-sdk-s3/versions/1.208.0"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "AWS SDK for Ruby\u0027s S3 Encryption Client has a Key Commitment Issue"
}
GHSA-6XW4-3V39-52MM
Vulnerability from github – Published: 2025-10-10 17:33 – Updated: 2025-10-13 15:46
VLAI?
Summary
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
Details
Summary
Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.
Details
When handling non-multipart form submissions, Rack’s request parser performs:
form_vars = get_header(RACK_INPUT).read
Since read is called with no argument, the entire request body is loaded into a Ruby String. This occurs before query parameter parsing or enforcement of any params_limit. As a result, Rack applications without an upstream body-size limit can experience unbounded memory allocation proportional to request size.
Impact
Attackers can send large application/x-www-form-urlencoded bodies to consume process memory, causing slowdowns or termination by the operating system (OOM). The effect scales linearly with request size and concurrency. Even with parsing limits configured, the issue occurs before those limits are enforced.
Mitigation
- Update to a patched version of Rack that enforces form parameter limits using
query_parser.bytesize_limit, preventing unbounded reads ofapplication/x-www-form-urlencodedbodies. - Enforce strict maximum body size at the proxy or web server layer (e.g., Nginx
client_max_body_size, ApacheLimitRequestBody).
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.1.18"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61919"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-10T17:33:35Z",
"nvd_published_at": "2025-10-10T20:15:37Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.\n\n## Details\n\nWhen handling non-multipart form submissions, Rack\u2019s request parser performs:\n\n```ruby\nform_vars = get_header(RACK_INPUT).read\n```\n\nSince `read` is called with no argument, the entire request body is loaded into a Ruby `String`. This occurs before query parameter parsing or enforcement of any `params_limit`. As a result, Rack applications without an upstream body-size limit can experience unbounded memory allocation proportional to request size.\n\n## Impact\n\nAttackers can send large `application/x-www-form-urlencoded` bodies to consume process memory, causing slowdowns or termination by the operating system (OOM). The effect scales linearly with request size and concurrency. Even with parsing limits configured, the issue occurs *before* those limits are enforced.\n\n## Mitigation\n\n* Update to a patched version of Rack that enforces form parameter limits using `query_parser.bytesize_limit`, preventing unbounded reads of `application/x-www-form-urlencoded` bodies.\n* Enforce strict maximum body size at the proxy or web server layer (e.g., Nginx `client_max_body_size`, Apache `LimitRequestBody`).",
"id": "GHSA-6xw4-3v39-52mm",
"modified": "2025-10-13T15:46:17Z",
"published": "2025-10-10T17:33:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-6xw4-3v39-52mm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61919"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/4e2c903991a790ee211a3021808ff4fd6fe82881"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/cbd541e8a3d0c5830a3c9a30d3718ce2e124f9db"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/e179614c4a653283286f5f046428cbb85f21146f"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61919.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing"
}
GHSA-MR3Q-G2MV-MR4Q
Vulnerability from github – Published: 2025-10-10 20:28 – Updated: 2025-10-13 15:46
VLAI?
Summary
Sinatra is vulnerable to ReDoS through ETag header value generation
Details
Summary
There is a denial of service vulnerability in the If-Match and If-None-Match header parsing component of Sinatra, if the etag method is used when constructing the response and you are using Ruby < 3.2.
Details
Carefully crafted input can cause If-Match and If-None-Match header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the ETag header value. Any applications that use the etag method when generating a response are impacted if they are using Ruby below version 3.2.
Resources
- https://github.com/sinatra/sinatra/issues/2120 (report)
- https://github.com/sinatra/sinatra/pull/2121 (fix)
- https://github.com/sinatra/sinatra/pull/1823 (older ReDoS vulnerability)
- https://bugs.ruby-lang.org/issues/19104 (fix in Ruby >= 3.2)
Severity ?
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "sinatra"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "4.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61921"
],
"database_specific": {
"cwe_ids": [
"CWE-1333",
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-10T20:28:47Z",
"nvd_published_at": "2025-10-10T20:15:38Z",
"severity": "LOW"
},
"details": "### Summary\n\nThere is a denial of service vulnerability in the `If-Match` and `If-None-Match` header parsing component of Sinatra, if the `etag` method is used when constructing the response and you are using Ruby \u003c 3.2.\n\n### Details\n\nCarefully crafted input can cause `If-Match` and `If-None-Match` header parsing in Sinatra to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically involved in generating the `ETag` header value. Any applications that use the `etag` method when generating a response are impacted if they are using Ruby below version 3.2.\n\n### Resources\n\n* https://github.com/sinatra/sinatra/issues/2120 (report)\n* https://github.com/sinatra/sinatra/pull/2121 (fix)\n* https://github.com/sinatra/sinatra/pull/1823 (older ReDoS vulnerability)\n* https://bugs.ruby-lang.org/issues/19104 (fix in Ruby \u003e= 3.2)",
"id": "GHSA-mr3q-g2mv-mr4q",
"modified": "2025-10-13T15:46:28Z",
"published": "2025-10-10T20:28:47Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/sinatra/sinatra/security/advisories/GHSA-mr3q-g2mv-mr4q"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61921"
},
{
"type": "WEB",
"url": "https://github.com/sinatra/sinatra/issues/2120"
},
{
"type": "WEB",
"url": "https://github.com/sinatra/sinatra/pull/1823"
},
{
"type": "WEB",
"url": "https://github.com/sinatra/sinatra/pull/2121"
},
{
"type": "WEB",
"url": "https://github.com/sinatra/sinatra/commit/3fe8c38dc405586f7ad8f2ac748aa53e9c3615bd"
},
{
"type": "WEB",
"url": "https://github.com/sinatra/sinatra/commit/8ff496bd4877520599e1479d6efead39304edceb"
},
{
"type": "WEB",
"url": "https://bugs.ruby-lang.org/issues/19104"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/sinatra/CVE-2025-61921.yml"
},
{
"type": "PACKAGE",
"url": "https://github.com/sinatra/sinatra"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "Sinatra is vulnerable to ReDoS through ETag header value generation"
}
GHSA-WHRJ-4476-WVMP
Vulnerability from github – Published: 2026-02-17 18:46 – Updated: 2026-03-10 18:41
VLAI?
Summary
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Details
Summary
Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme (e.g. javascript:alert(1)), the generated index includes an anchor whose href attribute is exactly javascript:alert(1). Clicking this entry executes arbitrary JavaScript in the context of the hosting application.
This results in a client-side XSS condition in directory listings generated by Rack::Directory.
Details
Rack::Directory renders directory entries using an HTML row template similar to:
<a href='%s'>%s</a>
The %s placeholder is populated directly with the file’s basename. If the basename begins with javascript:, the resulting HTML contains an executable JavaScript URL:
<a href='javascript:alert(1)'>javascript:alert(1)</a>
Because the value is inserted directly into the href attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.
Impact
If Rack::Directory is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with javascript:.
When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).
Mitigation
- Update to a patched version of Rack in which
Rack::Directoryprefixes generated anchors with a relative path indicator (e.g../filename). - Avoid exposing user-controlled directories via
Rack::Directory. - Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
- Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.
HackerOne profile: https://hackerone.com/thesmartshadow
GitHub account owner: Ali Firas (@thesmartshadow)
Severity ?
5.4 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.22"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.beta1"
},
{
"fixed": "3.1.20"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-25500"
],
"database_specific": {
"cwe_ids": [
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-17T18:46:35Z",
"nvd_published_at": "2026-02-18T20:18:36Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.\n\nThis results in a client-side XSS condition in directory listings generated by `Rack::Directory`.\n\n## Details\n\n`Rack::Directory` renders directory entries using an HTML row template similar to:\n\n```html\n\u003ca href=\u0027%s\u0027\u003e%s\u003c/a\u003e\n```\n\nThe `%s` placeholder is populated directly with the file\u2019s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:\n\n```html\n\u003ca href=\u0027javascript:alert(1)\u0027\u003ejavascript:alert(1)\u003c/a\u003e\n```\n\nBecause the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.\n\n## Impact\n\nIf `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.\n\nWhen a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application\u0027s origin. Exploitation requires user interaction (clicking the malicious entry).\n\n## Mitigation\n\n* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).\n* Avoid exposing user-controlled directories via `Rack::Directory`.\n* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.\n* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.\n\nHackerOne profile:\nhttps://hackerone.com/thesmartshadow\n\nGitHub account owner:\nAli Firas (@thesmartshadow)",
"id": "GHSA-whrj-4476-wvmp",
"modified": "2026-03-10T18:41:32Z",
"published": "2026-02-17T18:46:35Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25500"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href"
}
GHSA-C2F4-JGMC-Q2R5
Vulnerability from github – Published: 2025-09-17 18:26 – Updated: 2025-09-19 14:41
VLAI?
Summary
REXML has DoS condition when parsing malformed XML file
Details
Impact
The REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations. If you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.
Patches
REXML gems 3.4.2 or later include the patches to fix these vulnerabilities.
Workarounds
Don't parse untrusted XMLs.
References
- https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ : An announcement on www.ruby-lang.org
Severity ?
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.4.1"
},
"package": {
"ecosystem": "RubyGems",
"name": "rexml"
},
"ranges": [
{
"events": [
{
"introduced": "3.3.3"
},
{
"fixed": "3.4.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-58767"
],
"database_specific": {
"cwe_ids": [
"CWE-400",
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2025-09-17T18:26:48Z",
"nvd_published_at": "2025-09-17T18:15:52Z",
"severity": "LOW"
},
"details": "### Impact\n\nThe REXML gems from 3.3.3 to 3.4.1 have a DoS vulnerability when parsing XML containing multiple XML declarations.\nIf you need to parse untrusted XMLs, you may be impacted to these vulnerabilities.\n\n### Patches\n\nREXML gems 3.4.2 or later include the patches to fix these vulnerabilities.\n\n### Workarounds\n\nDon\u0027t parse untrusted XMLs.\n\n### References\n\n* https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767/ : An announcement on www.ruby-lang.org",
"id": "GHSA-c2f4-jgmc-q2r5",
"modified": "2025-09-19T14:41:30Z",
"published": "2025-09-17T18:26:48Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/ruby/rexml/security/advisories/GHSA-c2f4-jgmc-q2r5"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-58767"
},
{
"type": "WEB",
"url": "https://github.com/ruby/rexml/commit/5859bdeac792687eaf93d8e8f0b7e3c1e2ed5c23"
},
{
"type": "PACKAGE",
"url": "https://github.com/ruby/rexml"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rexml/CVE-2025-58767.yml"
},
{
"type": "WEB",
"url": "https://www.ruby-lang.org/en/news/2025/09/18/dos-rexml-cve-2025-58767"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U",
"type": "CVSS_V4"
}
],
"summary": "REXML has DoS condition when parsing malformed XML file"
}
GHSA-W9PC-FMGC-VXVW
Vulnerability from github – Published: 2025-10-07 17:27 – Updated: 2025-10-13 15:29
VLAI?
Summary
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
Details
Summary
Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).
Details
During multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory:
body = String.new # non-file → in-RAM buffer
@mime_parts[mime_index].body << content
There is no size limit on these in-memory buffers. As a result, any large text field—while technically valid—will be loaded fully into process memory before being added to params.
Impact
Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected.
Mitigation
- Upgrade: Use a patched version of Rack that enforces a reasonable size cap for non-file fields (e.g., 2 MiB).
- Workarounds:
- Restrict maximum request body size at the web-server or proxy layer (e.g., Nginx
client_max_body_size). - Validate and reject unusually large form fields at the application level.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.1"
},
{
"fixed": "3.1.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61771"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-07T17:27:07Z",
"nvd_published_at": "2025-10-07T15:16:03Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).\n\n## Details\n\nDuring multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory:\n\n```ruby\nbody = String.new # non-file \u2192 in-RAM buffer\n@mime_parts[mime_index].body \u003c\u003c content\n```\n\nThere is no size limit on these in-memory buffers. As a result, any large text field\u2014while technically valid\u2014will be loaded fully into process memory before being added to `params`.\n\n## Impact\n\nAttackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected.\n\n## Mitigation\n\n* **Upgrade:** Use a patched version of Rack that enforces a reasonable size cap for non-file fields (e.g., 2 MiB).\n* **Workarounds:**\n * Restrict maximum request body size at the web-server or proxy layer (e.g., Nginx `client_max_body_size`).\n * Validate and reject unusually large form fields at the application level.",
"id": "GHSA-w9pc-fmgc-vxvw",
"modified": "2025-10-13T15:29:51Z",
"published": "2025-10-07T17:27:07Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-w9pc-fmgc-vxvw"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61771"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61771.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack: Multipart parser buffers large non\u2011file fields entirely in memory, enabling DoS (memory exhaustion)"
}
GHSA-WPV5-97WM-HP9C
Vulnerability from github – Published: 2025-10-07 17:28 – Updated: 2025-10-13 15:30
VLAI?
Summary
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
Details
Summary
Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).
Details
While reading multipart headers, the parser waits for CRLFCRLF using:
@sbuf.scan_until(/(.*?\r\n)\r\n/m)
If the terminator never appears, it continues appending data (@sbuf.concat(content)) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size.
Impact
Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected.
Mitigation
- Upgrade to a patched Rack version that caps per-part header size (e.g., 64 KiB).
- Until then, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx
client_max_body_size).
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.1"
},
{
"fixed": "3.1.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61772"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-07T17:28:06Z",
"nvd_published_at": "2025-10-07T15:16:03Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part\u2019s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS).\n\n## Details\n\nWhile reading multipart headers, the parser waits for `CRLFCRLF` using:\n\n```ruby\n@sbuf.scan_until(/(.*?\\r\\n)\\r\\n/m)\n```\n\nIf the terminator never appears, it continues appending data (`@sbuf.concat(content)`) indefinitely. There is no limit on accumulated header bytes, so a single malformed part can consume memory proportional to the request body size.\n\n## Impact\n\nAttackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected.\n\n## Mitigation\n\n* Upgrade to a patched Rack version that caps per-part header size (e.g., 64 KiB).\n* Until then, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx `client_max_body_size`).",
"id": "GHSA-wpv5-97wm-hp9c",
"modified": "2025-10-13T15:30:01Z",
"published": "2025-10-07T17:28:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61772"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61772.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack\u0027s multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)"
}
GHSA-P543-XPFM-54CP
Vulnerability from github – Published: 2025-10-07 17:26 – Updated: 2025-10-13 15:29
VLAI?
Summary
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
Details
Summary
Rack::Multipart::Parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.
Details
While searching for the first boundary, the parser appends incoming data into a shared buffer (@sbuf.concat(content)) and scans for the boundary pattern:
@sbuf.scan_until(@body_regex)
If the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.
Impact
Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.
Mitigation
- Upgrade: Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per RFC 2046 § 5.1.1.
- Workarounds:
- Limit total request body size at the proxy or web server level.
- Monitor memory and set per-process limits to prevent OOM conditions.
Severity ?
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.19"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.1"
},
{
"fixed": "3.1.17"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2"
},
{
"fixed": "3.2.2"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-61770"
],
"database_specific": {
"cwe_ids": [
"CWE-400"
],
"github_reviewed": true,
"github_reviewed_at": "2025-10-07T17:26:16Z",
"nvd_published_at": "2025-10-07T15:16:02Z",
"severity": "HIGH"
},
"details": "## Summary\n\n`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions.\n\n## Details\n\nWhile searching for the first boundary, the parser appends incoming data into a shared buffer (`@sbuf.concat(content)`) and scans for the boundary pattern:\n\n```ruby\n@sbuf.scan_until(@body_regex)\n```\n\nIf the boundary is not yet found, the parser continues buffering data indefinitely. There is no trimming or size cap on the preamble, allowing attackers to send arbitrary amounts of data before the first boundary.\n\n## Impact\n\nRemote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection.\n\n## Mitigation\n\n* **Upgrade:** Use a patched version of Rack that enforces a preamble size limit (e.g., 16 KiB) or discards preamble data entirely per [RFC 2046 \u00a7 5.1.1](https://www.rfc-editor.org/rfc/rfc2046.html#section-5.1.1).\n* **Workarounds:**\n * Limit total request body size at the proxy or web server level.\n * Monitor memory and set per-process limits to prevent OOM conditions.",
"id": "GHSA-p543-xpfm-54cp",
"modified": "2025-10-13T15:29:37Z",
"published": "2025-10-07T17:26:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-p543-xpfm-54cp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61770"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e"
},
{
"type": "WEB",
"url": "https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
},
{
"type": "WEB",
"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61770.yml"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "Rack\u0027s unbounded multipart preamble buffering enables DoS (memory exhaustion)"
}
GHSA-J288-Q9X7-2F5V
Vulnerability from github – Published: 2025-07-11 15:31 – Updated: 2025-11-05 20:30
VLAI?
Summary
Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs
Details
Uncontrolled Recursion vulnerability in Apache Commons Lang.
This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.
The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop.
Users are recommended to upgrade to version 3.18.0, which fixes the issue.
Severity ?
6.5 (Medium)
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.apache.commons:commons-lang3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0"
},
{
"fixed": "3.18.0"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Maven",
"name": "commons-lang:commons-lang"
},
"ranges": [
{
"events": [
{
"introduced": "2.0"
},
{
"last_affected": "2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2025-48924"
],
"database_specific": {
"cwe_ids": [
"CWE-674"
],
"github_reviewed": true,
"github_reviewed_at": "2025-07-12T00:48:03Z",
"nvd_published_at": "2025-07-11T15:15:24Z",
"severity": "MODERATE"
},
"details": "Uncontrolled Recursion vulnerability in Apache Commons Lang.\n\nThis issue affects Apache Commons Lang: Starting with\u00a0commons-lang:commons-lang\u00a02.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before\u00a03.18.0.\n\nThe methods ClassUtils.getClass(...) can throw\u00a0StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could\u00a0cause an application to stop.\n\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.",
"id": "GHSA-j288-q9x7-2f5v",
"modified": "2025-11-05T20:30:31Z",
"published": "2025-07-11T15:31:37Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-48924"
},
{
"type": "WEB",
"url": "https://github.com/apache/commons-lang/commit/b424803abdb2bec818e4fbcb251ce031c22aca53"
},
{
"type": "PACKAGE",
"url": "https://github.com/apache/commons-lang"
},
{
"type": "WEB",
"url": "https://lists.apache.org/thread/bgv0lpswokgol11tloxnjfzdl7yrc1g1"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00000.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/08/msg00026.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00032.html"
},
{
"type": "WEB",
"url": "https://lists.debian.org/debian-lts-announce/2025/09/msg00036.html"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2025/07/11/1"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apache Commons Lang is vulnerable to Uncontrolled Recursion when processing long inputs"
}
Loading…
Show additional events:
Loading…
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…