CVE-2025-61771 Overview
CVE-2025-61771 is a denial of service vulnerability in Rack, the modular Ruby web server interface used by frameworks such as Ruby on Rails and Sinatra. The flaw resides in Rack::Multipart::Parser, which stores non-file form fields entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request can consume process memory equivalent to the field size, triggering out-of-memory conditions. The issue affects all Rack applications processing multipart form submissions and is classified under [CWE-400] Uncontrolled Resource Consumption.
Critical Impact
Remote unauthenticated attackers can send oversized non-file multipart fields to exhaust worker memory, crash processes, and cause service-wide denial of service.
Affected Products
- Rack versions prior to 2.2.19
- Rack versions prior to 3.1.17 in the 3.1.x branch
- Rack versions prior to 3.2.2 in the 3.2.x branch
Discovery Timeline
- 2025-10-07 - CVE-2025-61771 published to NVD
- 2025-10-10 - Last updated in NVD database
Technical Details for CVE-2025-61771
Vulnerability Analysis
The vulnerability exists in lib/rack/multipart/parser.rb. When Rack parses a multipart/form-data request, parts that lack a filename attribute are treated as regular form fields rather than file uploads. File uploads are streamed to a Tempfile on disk, but non-file fields are buffered into Ruby String objects held in resident memory.
No upper bound is enforced on the size of these in-memory strings. An attacker can craft a multipart request containing a single text field of hundreds of megabytes or more. The Ruby process allocates equivalent heap memory to hold the value, and impact scales linearly with both request size and request concurrency.
Root Cause
The root cause is missing input size validation in the multipart parser. The parser accepted arbitrarily large non-file parts because Rack distinguished between file parts (streamed to disk) and value parts (held in memory) without applying a corresponding size limit to the latter. Coupled with worker concurrency, this allowed a small number of requests to exhaust the memory of a Ruby application server.
Attack Vector
Exploitation requires only network access to an HTTP endpoint that accepts multipart form submissions. The attacker submits a multipart/form-data POST request containing one or more form fields without a filename parameter and with a body sized to exhaust available worker memory. Repeated or concurrent submissions amplify the impact, producing worker crashes, severe garbage-collection overhead, or full service unavailability.
# Patch excerpt from lib/rack/multipart/parser.rb
Tempfile.new(["RackMultipart", extension])
}
+ BOUNDARY_START_LIMIT = 16 * 1024
+ private_constant :BOUNDARY_START_LIMIT
+
+ MIME_HEADER_BYTESIZE_LIMIT = 64 * 1024
+ private_constant :MIME_HEADER_BYTESIZE_LIMIT
+
class BoundedIO # :nodoc:
def initialize(io, content_length)
@io = io
# Source: https://github.com/rack/rack/commit/589127f4ac8b5cf11cf88fb0cd116ffed4d2181e
The patch introduces explicit byte-size constants for boundary detection and MIME header parsing, and the fixed releases add a reasonable size cap (approximately 2 MiB) for non-file form fields.
Detection Methods for CVE-2025-61771
Indicators of Compromise
- HTTP POST requests with Content-Type: multipart/form-data and a Content-Length value substantially larger than expected for the endpoint.
- Multipart parts containing a Content-Disposition: form-data header with a name parameter but no filename parameter, paired with very large bodies.
- Repeated client requests from the same source coinciding with worker memory spikes or restarts.
Detection Strategies
- Inspect web server and reverse proxy access logs for unusual request sizes against endpoints that accept form submissions.
- Correlate Ruby application server worker restarts and OOM-killer events with inbound multipart traffic patterns.
- Deploy WAF rules to flag multipart/form-data requests where individual non-file parts exceed configured thresholds.
Monitoring Recommendations
- Track resident set size (RSS) and heap allocations of Puma, Unicorn, or Passenger worker processes.
- Alert on sustained increases in Ruby garbage collection time or major GC frequency.
- Monitor kernel logs for oom-killer invocations against application server processes.
How to Mitigate CVE-2025-61771
Immediate Actions Required
- Upgrade Rack to version 2.2.19, 3.1.17, or 3.2.2 depending on the major version in use.
- Audit application Gemfile.lock files across all Ruby services to confirm the patched Rack version is resolved.
- Restart application workers after upgrading to ensure the patched parser is loaded.
Patch Information
The fix is published in the Rack GHSA-w9pc-fmgc-vxvw advisory and applied in commits 589127f4, d869fed6, and e08f78c6. The patched versions enforce a size cap (approximately 2 MiB) on non-file multipart fields.
Workarounds
- Restrict the maximum request body size at the web server or proxy layer, for example by setting client_max_body_size in Nginx.
- Add application-level validation to reject multipart requests containing unusually large non-file fields before they reach the parser.
- Reduce worker concurrency or enforce per-IP rate limits on endpoints that accept multipart submissions to limit amplification.
# Nginx configuration example to cap multipart request size
http {
client_max_body_size 2m;
client_body_buffer_size 256k;
server {
location /upload {
client_max_body_size 10m;
}
}
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
