#VU116144 Resource exhaustion in Rack - CVE-2025-59830

Cybersecurity Help s.r.o.

Published: 2025-09-26

Vulnerability identifier: #VU116144

Vulnerability risk: High

CVSSv4.0: 6.6 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U/U:Amber]

CVE-ID: CVE-2025-59830

CWE-ID: CWE-400

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Rack
Web applications / Modules and components for CMS

Vendor: Rack

Description

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to application does not properly control consumption of internal resources in the "Rack::QueryParser" function. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Rack: 2.2.0 - 2.2.18

External links
https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm

Q & A

Can this vulnerability be exploited remotely?

Is there known malware, which exploits this vulnerability?

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM License Metric Tool

Multiple vulnerabilities in IBM Cloud Pak for Multicloud Management

Red Hat Enterprise Linux 10 update for pcs

Red Hat Enterprise Linux 9 update for pcs

Anolis OS update for pcs

Red Hat Enterprise Linux 9 update for pcs

Red Hat Enterprise Linux 8 update for pcs

Red Hat Enterprise Linux 9 update for pcs

Fedora 41 update for rubygem-rack