7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-61771

GHSA ID

GHSA-w9pc-fmgc-vxvw

EPSS Score

CWE

CWE-400

Published

10/7/2025

Updated

10/7/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61771

CVE-2025-61771: Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Summary

Rack::Multipart::Parser stores non-file form fields (parts without a filename) entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS).

Details

During multipart parsing, file parts are streamed to temporary files, but non-file parts are buffered into memory:

body = String.new  # non-file → in-RAM buffer
@mime_parts[mime_index].body << content

There is no size limit on these in-memory buffers. As a result, any large text field—while technically valid—will be loaded fully into process memory before being added to params.

Impact

Attackers can send large non-file fields to trigger excessive memory usage. Impact scales with request size and concurrency, potentially leading to worker crashes or severe garbage-collection overhead. All Rack applications processing multipart form submissions are affected.

Mitigation

Upgrade: Use a patched version of Rack that enforces a reasonable size cap for non-file fields (e.g., 2 MiB).
Workarounds:
- Restrict maximum request body size at the web-server or proxy layer (e.g., Nginx client_max_body_size).
- Validate and reject unusually large form fields at the application level.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-61771

GHSA ID

GHSA-w9pc-fmgc-vxvw

EPSS Score

CWE

CWE-400

Published

10/7/2025

Updated

10/7/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	< 2.2.19	2.2.19
rack	rubygems	>= 3.1, < 3.1.17	3.1.17
rack	rubygems	>= 3.2, < 3.2.2	3.2.2

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patches reveals that the vulnerability lies within the Rack::Multipart::Parser class, specifically in two methods that handle the initial parsing of a multipart request. The provided commits address unbounded memory allocation vulnerabilities in handle_fast_forward and handle_mime_head.

The vulnerability description provided (GHSA-w9pc-fmgc-vxvw) focuses on the buffering of large non-file fields, which is a slightly different issue (related to CVE-2025-61771). However, the provided patches are for CVE-2025-61770 (unbounded preamble buffering) and CVE-2025-61772 (unbounded header buffering). The task is to analyze the provided patches, so the identified vulnerable functions are the ones fixed in those commits.

Rack::Multipart::Parser.handle_fast_forward: This function was vulnerable because it lacked a size limit on the data buffered while searching for the first multipart boundary. An attacker could send a request without a boundary, causing the application to run out of memory.
Rack::Multipart::Parser.handle_mime_head: Similarly, this function was vulnerable due to the absence of a size limit on the data buffered for a part's headers. An attacker could send a part with an extremely large header to cause memory exhaustion.

During exploitation, a profiler would show these functions being executed repeatedly as they consume the malicious request body, leading to increased memory usage until the process crashes. Therefore, these two functions are the key runtime indicators for this vulnerability.

Vulnerable functions

Rack::Multipart::Parser.handle_fast_forward

lib/rack/multipart/parser.rb

This function is responsible for parsing the multipart request until the first boundary is found. Prior to the patch, it would continuously buffer data from the input stream into the `@sbuf` variable without any size limit if the boundary was not present. This allows an attacker to send a stream of data without a boundary, causing the server to exhaust its memory, leading to a denial of service.

Rack::Multipart::Parser.handle_mime_head

lib/rack/multipart/parser.rb

This function is responsible for parsing the headers of a MIME part in a multipart request. Before the patch, it would buffer data from the input stream while waiting for the end of the headers (`\r\n\r\n`). If an attacker sent a part with a very large header (or no header termination), the server would buffer the entire header in memory, leading to memory exhaustion and a denial of service.

WAF Protection Rules

WAF Rule

## Summ*ry `R**k::Multip*rt::P*rs*r` stor*s non-*il* *orm *i*l*s (p*rts wit*out * `*il*n*m*`) *ntir*ly in m*mory *s Ru*y `Strin*` o*j**ts. * sin*l* l*r** t*xt *i*l* in * multip*rt/*orm-**t* r*qu*st (*un*r**s o* m****yt*s or mor*) **n *onsum* *quiv*l

Reasoning

T** *n*lysis o* t** provi*** p*t***s r*v**ls t**t t** vuln*r**ility li*s wit*in t** `R**k::Multip*rt::P*rs*r` *l*ss, sp**i*i**lly in two m*t*o*s t**t **n*l* t** initi*l p*rsin* o* * multip*rt r*qu*st. T** provi*** *ommits ***r*ss un*oun*** m*mory *ll

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-61771: Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Summary

Details

Impact

Mitigation

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI