The Rack project, a key Ruby library providing a minimal and modular interface for web application development, has released a update addressing a in its query parameter parsing logic. The , tracked as CVE-2025-59830 with a CVSS score of 7.5 (High), affects Rack versions prior to 2.2.18.
The issue lies in how Rack::QueryParser enforces its parameter count limit. According to the advisory, “Rack::QueryParser in version < 2.2.18 enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended.”
This mismatch arises because while Rack splits query strings on both & and ;, its internal counter only tracks &. The oversight means an attacker can flood the parser with excessive parameters by using ; separators, bypassing safeguards.
Exploiting this could lead to increased CPU and memory consumption, opening the door to limited denial-of-service (DoS) attacks. As the advisory explains, “Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption.”
However, most Rack-based applications remain safe by default: “Rack::Request, the primary entry point for typical Rack applications, uses QueryParser in a safe way and does not appear vulnerable by default.”
The affected and fixed versions:
- Affected: Rack versions < 2.2.18
- Patched: Rack 2.2.18
The patch ensures that both & and ; are consistently counted toward the parameter limit, closing the loophole.
For administrators and developers who cannot immediately upgrade, the advisory recommends:
- Configure QueryParser with an explicit delimiter (e.g., &) to avoid the mismatch.
- Enforce query string and request size limits at the web server or proxy layer (such as Nginx, Apache, or a CDN) to reduce the risk of excessive parsing overhead.
