Ce mail provient de l'extérieur, restons vigilants ===================================================================== CERT-Renater Note d'Information No. 2025/VULN290 _____________________________________________________________________ DATE : 09/05/2025 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running rack (RubyGems) versions prior to 2.2.14, 3.0.16, 3.1.14. ===================================================================== https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g _____________________________________________________________________ Unbounded parameter parsing in `Rack::QueryParser` can lead to memory exhaustion High ioquatix published GHSA-gjh7-p2fx-99vx May 7, 2025 Package rack (RubyGems) Affected versions < 2.2.14 >= 3.0, < 3.0.16 >= 3.1, < 3.1.14 Patched versions 2.2.14 3.0.16 3.1.14 Description Summary Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. Details The vulnerability arises because Rack::QueryParser iterates over each &-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. Impact An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Mitigation Update to a version of Rack that limits the number of parameters parsed, or Use middleware to enforce a maximum query string size or parameter count, or Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation. Severity High 7.5/ 10 CVSS v3 base metrics Attack vector Network Attack complexity Low Privileges required None User interaction None Scope Unchanged Confidentiality None Integrity None Availability High CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE ID CVE-2025-46727 Weaknesses CWE-400 CWE-770 Credits @TaiPhung217 TaiPhung217 Reporter @jeremyevans jeremyevans Remediation developer @ioquatix ioquatix Coordinator _____________________________________________________________________ `Rack::Session::Pool` middleware may restore deleted sessions Moderate ioquatix published GHSA-vpfw-47h7-xj4g May 7, 2025 Package rack (RubyGems) Affected versions <= 2.2.13 Patched versions 2.2.14 Description Summary When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Details Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests. Impact When using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. Mitigation Update to the latest version of rack, or Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a logged_out flag, instead of deleting them, and check this flag on every request to prevent reuse, or Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began. Related As this code was moved to rack-session in Rack 3+, see GHSA-9j94-67jr-4cqj for the equivalent advisory in rack-session (affecting Rack 3+ only). Severity Moderate 4.2/ 10 CVSS v3 base metrics Attack vector Network Attack complexity High Privileges required Low User interaction None Scope Unchanged Confidentiality Low Integrity Low Availability None CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N CVE ID CVE-2025-32441 Weaknesses CWE-362 CWE-367 CWE-613 Credits @stengineering0 stengineering0 Reporter @jeremyevans jeremyevans Remediation developer @ioquatix ioquatix Coordinator ========================================================= + CERT-RENATER | tel : 01-53-94-20-44 + + 23/25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email:cert@support.renater.fr + =========================================================