Resource Exhaustion Affecting ruby-25 package, versions *
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-CENTOS8-RUBY25-13497168
- published8 Oct 2025
- disclosed7 Oct 2025
Introduced: 7 Oct 2025
NewCVE-2025-61772 (opens in a new tab)How to fix?
There is no fixed version for Centos:8 ruby-25.
NVD Description
Note: Versions mentioned in the description apply only to the upstream ruby-25 package and not the ruby-25 package as distributed by Centos.
See How to fix? for Centos:8 relevant fixed versions and status.
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (CRLFCRLF). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). Attackers can send incomplete multipart headers to trigger high memory use, leading to process termination (OOM) or severe slowdown. The effect scales with request size limits and concurrency. All applications handling multipart uploads may be affected. Versions 2.2.19, 3.1.17, and 3.2.2 cap per-part header size (e.g., 64 KiB). As a workaround, restrict maximum request sizes at the proxy or web server layer (e.g., Nginx client_max_body_size).
References
- https://access.redhat.com/security/cve/CVE-2025-61772
- https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
- https://github.com/rack/rack/commit/d869fed663b113b95a74ad53e1b5cae6ab31f29e
- https://github.com/rack/rack/commit/e08f78c656c9394d6737c022bde087e0f33336fd
- https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c