Debian LTS: ruby-rack Important Memory Exhaustion Risks DLA-4357-1
debian lts
November 2, 2025
Multiple vulnerabilities were found in ruby-rack, a modular Ruby webserver interface, as follows: - CVE-2025-32441: Rack session can be restored after deletion
Topics Covered
Summary
- CVE-2025-32441: Rack session can be restored after deletion.
- CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser
can lead to memory exhaustion.
- CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser
can lead to memory exhaustion via semicolon-separated parameters.
- CVE-2025-61770: Unbounded multipart preamble buffering enables
DoS (memory exhaustion).
- CVE-2025-61771: Multipart parser buffers large nonâfile fields
entirely in memory, enabling DoS (memory exhaustion).
- CVE-2025-61772: Multipart parser buffers unbounded per-part
headers, enabling DoS (memory exhaustion).
- CVE-2025-61919: Unbounded read in Rack::Request form parsing can
lead to memory exhaustion.
- CVE-2025-61780: Improper handling of headers in Rack::Sendfile
may allow proxy bypass.
For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u4.
We recommend that you upgrade your ruby-rack packages.
PREVIOUS
NEXT
Severity
important
Lowest
Low
Medium
High
Critical
Package: ruby-rack
Version: 2.1.4-3+deb11u4
CVE ID: CVE-2025-32441 CVE-2025-46727 CVE-2025-59830
Debian Bug: 1104927 1116431 1117855 1117856 1117627 1117628
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!