CNNVD-202509-3963 Information
CNNVD ID
CNNVD-202509-3963
Related CVE
- CNNVD Published: 2025-09-25
Description (Chinese)
Rack是Rack开源的一个模块化的Ruby web服务器界面。 Rack 2.2.18之前版本存在安全漏洞,该漏洞源于Rack::QueryParser仅对使用&分隔的参数强制执行params_limit限制,但仍同时接受&和;作为分隔符,攻击者可利用;分隔符绕过参数数量限制,可能导致CPU和内存消耗增加。
Description (English)
Rack is a modular Ruby web server interface for Rack Open Source. The previous version of Rak 2.2.18 had a security loophole, which originated from the fact that Rack:: QueryParser only enforced the params limit limit for the use of & separated parameters, but still accepted & and added; as separator, the assailant could use it; and the separator bypassed the number limit of parameters, which could lead to increased CPU and memory consumption.
Hazard Level
Medium
Vulnerability Type
其他
Affected Vendor
Rack
Published
2025-09-25
Last Modified
2026-02-24
References
https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71 https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm https://vigilance.fr/vulnerability/Rack-overload-via-QueryParser-48339
Patch
https://github.com/rack/rack/releases
Share on: