CVE-2025-59830 in Rackinfo

Summary

by MITRE • 09/25/2025

Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.

Once again VulDB remains the best source for vulnerability data.

Analysis

by VulDB Data Team • 11/05/2025

Rack serves as a fundamental web server interface for ruby applications and has been widely adopted across the ruby ecosystem for building web applications and middleware components. The vulnerability in question affects the Rack::QueryParser component which handles parsing of query parameters from http requests. This component is responsible for converting query string parameters into ruby hash structures that applications can process. The issue manifests in versions prior to 2.2.18 where the parameter limit enforcement mechanism contains a critical flaw in its delimiter handling logic. This vulnerability falls under the category of improper input validation and can be classified as CWE-129 according to the common weakness enumeration standards.

The technical flaw in Rack::QueryParser stems from inconsistent handling of parameter separators within the parsing logic. While the component enforces the params_limit constraint only when parameters are separated by the ampersand character &, it continues to split query strings using both ampersand and semicolon characters as delimiters. This discrepancy creates a bypass mechanism where attackers can submit malicious query strings containing semicolon-separated parameters to circumvent the intended parameter count limits. The default configuration of Rack::QueryParser does not require explicit delimiter specification, making applications vulnerable when they rely on the default behavior without additional security controls.

The operational impact of this vulnerability extends beyond simple parameter parsing and represents a potential denial-of-service threat. When attackers exploit this bypass mechanism, they can submit query strings containing an excessive number of parameters that would normally be restricted by the parameter limit. This abuse leads to increased cpu and memory consumption within the application server as the parsing process handles the inflated parameter count. The resource consumption grows proportionally to the number of parameters processed, creating a scenario where malicious requests can consume disproportionate system resources. The vulnerability can be categorized under the attack pattern known as resource exhaustion within the MITRE ATT&CK framework, specifically targeting the execution and privilege escalation domains.

Applications that directly invoke Rack::QueryParser with default configurations are particularly vulnerable to this attack vector. The patched version 2.2.18 addresses the inconsistency by ensuring that parameter limits are enforced consistently regardless of the delimiter used. Organizations should implement immediate mitigation strategies including upgrading to the patched version, implementing additional rate limiting controls, and configuring explicit parameter limits in their application configurations. System administrators should also monitor for unusual patterns in query parameter processing and implement web application firewalls that can detect and block suspicious parameter count patterns. The vulnerability demonstrates the importance of consistent input validation mechanisms and proper security configuration management in web application frameworks.

Responsible

GitHub M

Reservation

09/22/2025

Disclosure

09/25/2025

Moderation

accepted

CPE

ready

EPSS

0.00535

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!