7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59830

GHSA ID

GHSA-625h-95r8-8xpm

EPSS Score

CWE

CWE-400

Published

9/25/2025

Updated

9/25/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-59830

CVE-2025-59830: Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Summary

Rack::QueryParser in version < 2.2.18 enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended.

Details

The issue arises because Rack::QueryParser#check_query_string counts only & characters when determining the number of parameters, but the default separator regex DEFAULT_SEP = /[&;] */n splits on both & and ;. This mismatch means that queries using ; separators were not included in the parameter count, allowing params_limit to be bypassed.

Other safeguards (bytesize_limit and key_space_limit) still applied, but did not prevent this particular bypass.

Impact

Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector.

Rack::Request, the primary entry point for typical Rack applications, uses QueryParser in a safe way and does not appear vulnerable by default. As such, the severity is considered low, with the impact limited to edge cases where QueryParser is used directly.

Mitigation

Upgrade to a patched version of Rack where both & and ; are counted consistently toward params_limit.
If upgrading is not immediately possible, configure QueryParser with an explicit delimiter (e.g., &) to avoid the mismatch.
As a general precaution, enforce query string and request size limits at the web server or proxy layer (e.g., Nginx, Apache, or a CDN) to mitigate excessive parsing overhead.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-59830

GHSA ID

GHSA-625h-95r8-8xpm

EPSS Score

CWE

CWE-400

Published

9/25/2025

Updated

9/25/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	< 2.2.18	2.2.18

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability exists in how Rack's query parser handles parameter limits. The description and the provided patch clearly indicate that the check_query_string function in lib/rack/query_parser.rb is the source of the vulnerability. The patch modifies this function to correctly count both '&' and ';' as parameter separators when enforcing the params_limit. The previous implementation only counted '&', which allowed an attacker to bypass the limit by using semicolons, potentially leading to a denial of service through resource exhaustion. The functions parse_query and parse_nested_query call check_query_string, making them the entry points for the vulnerable logic, but the root cause is within check_query_string itself.

Vulnerable functions

Rack::QueryParser.check_query_string

lib/rack/query_parser.rb

The vulnerability lies in the `check_query_string` function within the `Rack::QueryParser` class. The original code only counted the ampersand ('&') character to enforce the `params_limit`, but the query parser would split parameters on both ampersands and semicolons (';'). This discrepancy allowed an attacker to bypass the parameter limit by using semicolons as separators, leading to excessive resource consumption. The patch corrects this by counting both '&' and ';' characters.

WAF Protection Rules

WAF Rule

## Summ*ry `R**k::Qu*ryP*rs*r` in v*rsion `< *.*.**` *n*or**s its `p*r*ms_limit` only *or p*r*m*t*rs s*p*r*t** *y `&`, w*il* still splittin* on *ot* `&` *n* `;`. *s * r*sult, *tt**k*rs *oul* us* `;` s*p*r*tors to *yp*ss t** p*r*m*t*r *ount limit *n*

Reasoning

T** vuln*r**ility *xists in *ow R**k's qu*ry p*rs*r **n*l*s p*r*m*t*r limits. T** **s*ription *n* t** provi*** p*t** *l**rly in*i**t* t**t t** `****k_qu*ry_strin*` *un*tion in `li*/r**k/qu*ry_p*rs*r.r*` is t** sour** o* t** vuln*r**ility. T** p*t** m

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-59830: Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Summary

Details

Impact

Mitigation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI