CVE-2025-26803: 
Ruby vulnerability analysis and mitigation

The http parser in Phusion Passenger versions 6.0.21 through 6.0.25 contains a vulnerability (CVE-2025-26803) that allows a denial of service attack during parsing of a request with an invalid HTTP method. The vulnerability was discovered and disclosed in February 2025, affecting the Phusion Passenger application server, which is used by over 650,000 sites to serve web apps, microservices, and APIs (Phusion Blog).

The vulnerability exists in the HTTP header parser component of Phusion Passenger, specifically when processing requests with invalid HTTP methods. The issue was introduced in version 6.0.21 and persisted through version 6.0.25. The vulnerability has been assigned a CVSS v3.1 Base Score of 7.5 (HIGH) by NIST NVD with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible vulnerability requiring no privileges or user interaction to exploit (NVD).

When successfully exploited, the vulnerability can result in a denial of service condition for the affected Phusion Passenger server. The impact is limited to availability, with no direct effect on confidentiality or integrity of the system (NVD).

The vulnerability has been fixed in Phusion Passenger version 6.0.26. Users are strongly advised to upgrade to this version. The fix involves modifications to the HTTP header parser component to properly handle invalid HTTP methods (Phusion Blog).