CVE-2025-61772: 
Ruby vulnerability analysis and mitigation

CVE-2025-61772 is a high-severity vulnerability affecting the Rack multipart parser in multiple versions (<2.2.19, >=3.1 & <3.1.17, >=3.2 & <3.2.2). The vulnerability was discovered and disclosed in October 2025, impacting Rack's multipart parsing functionality. The affected component is Rack::Multipart::Parser, which is used for handling multipart form data in web applications (GitHub Advisory).

The vulnerability exists in Rack::Multipart::Parser where it can accumulate unbounded data when a multipart part's header block never terminates with the required blank line (CRLFCRLF). The parser continues appending incoming bytes to memory without a size cap using @sbuf.scan_until(/(.*?\r\n)\r\n/m) operation. If the terminator never appears, it keeps appending data (@sbuf.concat(content)) indefinitely with no limit on accumulated header bytes. The vulnerability has received a CVSS v3.1 score of 7.5 (High), with attack vector being Network, attack complexity Low, and requiring no privileges or user interaction (GitHub Advisory).

The vulnerability allows attackers to send incomplete multipart headers to trigger high memory usage, potentially leading to process termination (Out of Memory) or severe system slowdown. The impact scales with request size limits and concurrency, affecting all applications that handle multipart uploads. This can result in a Denial of Service (DoS) through memory exhaustion (GitHub Advisory).

The primary mitigation is to upgrade to patched versions: Rack 2.2.19, 3.1.17, or 3.2.2. These versions implement a cap on per-part header size (64 KiB). For systems that cannot immediately upgrade, it is recommended to restrict maximum request sizes at the proxy or web server layer (e.g., using Nginx clientmaxbodysize). The patches implement BOUNDARYSTARTLIMIT (16KB) and MIMEHEADERBYTESIZELIMIT (64KB) to prevent unbounded memory allocation (GitHub Advisory, GitHub Commit).