CVE-2025-61770: 
Ruby vulnerability analysis and mitigation

Rack, a modular Ruby web server interface, was found to contain a vulnerability (CVE-2025-61770) in versions prior to 2.2.19, 3.1.17, and 3.2.2. The vulnerability was discovered and disclosed on October 7, 2025, affecting the Rack::Multipart::Parser component. The parser buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit, creating a potential security risk (GitHub Advisory, NVD).

The vulnerability exists in the Rack::Multipart::Parser's handling of multipart form data. While searching for the first boundary, the parser appends incoming data into a shared buffer (@sbuf.concat(content)) and scans for the boundary pattern without implementing any size restrictions. This unbounded buffering behavior allows the parser to continue accumulating data indefinitely if the boundary is not found. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating a network-accessible vulnerability requiring no privileges or user interaction (GitHub Advisory).

Remote attackers can exploit this vulnerability to trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection. This can lead to process termination due to out-of-memory (OOM) conditions, effectively creating a denial-of-service situation (GitHub Advisory, Miggo).

The primary mitigation is to upgrade to patched versions: 2.2.19, 3.1.17, or 3.2.2, which enforce a preamble size limit (e.g., 16 KiB) or discard preamble data entirely. For systems that cannot be immediately updated, workarounds include limiting total request body size at the proxy or web server level and monitoring memory with per-process limits to prevent OOM conditions (GitHub Advisory, NVD).