CVE-2025-61772: 
Ruby vulnerability analysis and mitigation

Rack, a modular Ruby web server interface, disclosed a vulnerability (CVE-2025-61772) on October 7, 2025, affecting versions prior to 2.2.19, 3.1.17, and 3.2.2. The vulnerability exists in the Rack::Multipart::Parser component where it can accumulate unbounded data when a multipart part's header block never terminates with the required blank line (CRLFCRLF) (NVD, GitHub Advisory).

The vulnerability stems from the parser's behavior of continuously appending incoming bytes to memory without implementing a size cap. When reading multipart headers, the parser waits for CRLFCRLF using @sbuf.scan_until(/(.*?\r\n)\r\n/m), and if the terminator never appears, it continues appending data (@sbuf.concat(content)) indefinitely. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with a vector string of CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating it can be exploited remotely with no privileges required (GitHub Advisory, Miggo).

The vulnerability allows attackers to send incomplete multipart headers to trigger high memory usage, potentially leading to process termination (OOM) or severe slowdown. The impact scales with request size limits and concurrency, affecting all applications that handle multipart uploads. The effect can be particularly severe as there is no limit on accumulated header bytes, allowing a single malformed part to consume memory proportional to the request body size (GitHub Advisory).

The vulnerability has been patched in Rack versions 2.2.19, 3.1.17, and 3.2.2, which implement a cap on per-part header size (64 KiB). For users unable to upgrade immediately, a recommended workaround is to restrict maximum request sizes at the proxy or web server layer, for example by using Nginx's client_max_body_size directive (NVD, GitHub Advisory).