AIKIDO-2025-10296
rack is vulnerable to Denial of Service (DoS)
50
Medium Risk
This Affects:
rackTL;DR
Affected versions of the package are vulnerable to denial of service (DoS) due to unbounded parameter parsing in Rack::QueryParser, which can result in memory exhaustion. In the patched version, support was added for limiting the parameter using the environment variables RACK_QUERY_PARSER_PARAMS_LIMIT and RACK_QUERY_PARSER_BYTESIZE_LIMIT (default limits of 4096 parameters and 4MB total byte size), as well as through QueryParser constructor options. If either limit is exceeded, a Rack::QueryParser::QueryLimitError is raised, with ParamsTooDeepError now aliased for compatibility with existing error handling.
Who does this affect?
You are affected if you are using a version that falls within the vulnerable range.
Background info
rack is vulnerable to Denial of Service (DoS) in versions 2.0.0 - 2.2.13 and 3.0.0 - 3.1.13.
How to fix this
Upgrade the rack library to the patch version.
Links
Fix Commits
github.com/rack/rack/commit/79ab0b9794a529f26a9a5eba10077f5ee6a097cegithub.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74
Are You Affected?
Connect your repositories to instantly see whether vulnerable or malicious packages exist in your codebase.
Free. No credit card required.
SOC 2Compliant
ISO 27001Compliant