Vulnerability Description
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
CVSS Score
HIGH
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Rack | Rack | < 2.2.18 |
Related Weaknesses (CWE)
References
- https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71Patch
- https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpmMitigationVendor Advisory
FAQ
What is CVE-2025-59830?
CVE-2025-59830 is a vulnerability with a CVSS score of 7.5 (HIGH). Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result...
How severe is CVE-2025-59830?
CVE-2025-59830 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-59830?
Check the references section above for vendor advisories and patch information. Affected products include: Rack Rack.