CVE-2025-61770 Overview
CVE-2025-61770 is a Denial of Service vulnerability in Rack, the modular Ruby web server interface. The vulnerability exists in the Rack::Multipart::Parser component, which buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A remote attacker can exploit this by sending a large preamble followed by a valid boundary in multipart/form-data requests, causing significant memory consumption and potential process termination due to out-of-memory (OOM) conditions.
Critical Impact
Remote attackers can trigger large transient memory spikes, causing worker crashes or severe slowdown due to garbage collection. The impact scales with allowed request sizes and concurrency, potentially affecting application availability.
Affected Products
- Rack versions prior to 2.2.19
- Rack versions prior to 3.1.17
- Rack versions prior to 3.2.2
Discovery Timeline
- 2025-10-07 - CVE-2025-61770 published to NVD
- 2025-10-10 - Last updated in NVD database
Technical Details for CVE-2025-61770
Vulnerability Analysis
This vulnerability stems from unbounded memory allocation in the multipart request parser. When processing multipart/form-data requests, Rack::Multipart::Parser reads and buffers all bytes before the first boundary delimiter (known as the preamble) into memory. According to RFC 2046, the preamble is technically optional and should be ignored by parsers, but the vulnerable implementation accumulates this data without enforcing any size constraints.
The flaw allows attackers to craft malicious multipart requests containing arbitrarily large preambles. When multiple concurrent requests exploit this behavior, the cumulative memory pressure can exhaust available system memory, triggering OOM conditions and forcing worker process termination.
Root Cause
The root cause is a resource exhaustion vulnerability (CWE-400) in the multipart parsing logic. The parser implementation failed to enforce size limits on preamble data, allowing unbounded memory allocation. The fix introduces two new constants to limit resource consumption:
- BOUNDARY_START_LIMIT = 16 * 1024 (16 KiB) - Limits the preamble size
- MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024 (64 KiB) - Limits MIME header size
Attack Vector
The attack is network-based and requires no authentication or user interaction. An attacker sends crafted HTTP POST requests with Content-Type: multipart/form-data containing a large preamble section before the boundary delimiter. The attack is amplified when multiple malicious requests are sent concurrently, overwhelming server memory resources and causing denial of service conditions.
# Security patch adding size limits to multipart parser
# Source: https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
Tempfile.new(["RackMultipart", extension])
}
+ BOUNDARY_START_LIMIT = 16 * 1024
+ private_constant :BOUNDARY_START_LIMIT
+
+ MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
+ private_constant :MIME_HEADER_BYTESIZE_LIMIT
+
class BoundedIO # :nodoc:
def initialize(io, content_length)
@io = io
Detection Methods for CVE-2025-61770
Indicators of Compromise
- Unusual memory consumption spikes on Ruby web application servers
- Worker process crashes or OOM killer events in system logs
- High volume of large multipart/form-data POST requests from single sources
- Garbage collection activity significantly higher than baseline
Detection Strategies
- Monitor for anomalous memory usage patterns in Ruby application workers
- Implement request logging that captures Content-Type headers and request body sizes for multipart requests
- Configure alerting on worker process restarts or OOM events
- Review web server access logs for unusually large POST requests to endpoints accepting multipart data
Monitoring Recommendations
- Set up memory threshold alerts for Ruby application processes
- Monitor request queue depth and response latency as early indicators of resource exhaustion
- Implement rate limiting on multipart upload endpoints
- Track garbage collection frequency and duration metrics
How to Mitigate CVE-2025-61770
Immediate Actions Required
- Upgrade Rack to version 2.2.19, 3.1.17, or 3.2.2 depending on your version branch
- If immediate patching is not possible, implement request body size limits at the reverse proxy or web server level
- Configure per-process memory limits to prevent system-wide OOM conditions
- Enable request body size limits in your application framework configuration
Patch Information
Rack has released patched versions that enforce a preamble size limit (16 KiB) and either discard preamble data entirely or reject requests exceeding the limit. The following versions contain the fix:
- Version 2.2.19 for the 2.x branch
- Version 3.1.17 for the 3.1.x branch
- Version 3.2.2 for the 3.2.x branch
Security patches are available through the GitHub Security Advisory GHSA-p543-xpfm-54cp and the corresponding commits for each version branch.
Workarounds
- Limit total request body size at the proxy or web server level (e.g., Nginx client_max_body_size or Apache LimitRequestBody)
- Configure memory limits per worker process using tools like ulimit or container resource constraints
- Implement rate limiting on endpoints that accept multipart uploads
- Monitor memory usage and configure automatic worker recycling when thresholds are exceeded
# Nginx configuration to limit request body size
# Add to http, server, or location block
client_max_body_size 10m;
# Set memory limits for Ruby processes using ulimit
ulimit -v 2097152 # Limit virtual memory to 2GB
# Or configure in systemd service file
# MemoryMax=2G
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
