Resource Exhaustion in rubygems-devel | CVE-2025-61919

Threat Intelligence

0.08% (26^th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Resource Exhaustion vulnerabilities in an interactive lesson.

Start learning

Snyk IDSNYK-CENTOS7-RUBYGEMSDEVEL-13549349
published24 Oct 2025
disclosed10 Oct 2025

Report a new vulnerability Found a mistake?

Introduced: 10 Oct 2025

CVE-2025-61919 (opens in a new tab) CWE-400 (opens in a new tab)

Amendment

The Centos security team deemed this advisory irrelevant for Centos:7.

NVD Description

Note: Versions mentioned in the description apply only to the upstream rubygems-devel package and not the rubygems-devel package as distributed by Centos.

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::Request#POST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.read(nil) without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. Users should upgrade to Rack version 2.2.20, 3.1.18, or 3.2.3, anu of which enforces form parameter limits using query_parser.bytesize_limit, preventing unbounded reads of application/x-www-form-urlencoded bodies. Additionally, enforce strict maximum body size at the proxy or web server layer (e.g., Nginx client_max_body_size, Apache LimitRequestBody).

Resource Exhaustion The advisory has been revoked - it doesn't affect any version of package rubygems-devel (opens in a new tab)