CVE-2025-61919: 
Ruby vulnerability analysis and mitigation

CVE-2025-61919 affects Rack, a modular Ruby web server interface. The vulnerability was discovered in versions prior to 2.2.20, 3.0 to 3.1.18, and 3.2 to 3.2.3, where an unbounded read in Rack::Request form parsing could lead to memory exhaustion. The issue was disclosed and patched in October 2025 (GitHub Advisory).

The vulnerability stems from Rack::Request#POST functionality, which reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded by calling rack.input.read(nil) without enforcing any length or cap. This occurs before query parameter parsing or enforcement of any params_limit. The vulnerability has been assigned a CVSS v3.1 score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H, indicating network accessibility with no required privileges or user interaction (GitHub Advisory).

Attackers can exploit this vulnerability by sending large application/x-www-form-urlencoded bodies to consume process memory, potentially causing system slowdowns or termination by the operating system due to Out of Memory (OOM) conditions. The impact scales linearly with request size and concurrency, affecting system availability even when parsing limits are configured (GitHub Advisory).

The vulnerability has been patched in Rack versions 2.2.20, 3.1.18, and 3.2.3. Users should update to these patched versions which enforce form parameter limits using queryparser.bytesizelimit, preventing unbounded reads of application/x-www-form-urlencoded bodies. Additionally, it is recommended to enforce strict maximum body size at the proxy or web server layer using configurations such as Nginx clientmaxbody_size or Apache LimitRequestBody (GitHub Advisory).