{"id":"MGASA-2025-0334","summary":"Updated ruby-rack packages fix security vulnerabilities","details":"Unbounded-Parameter DoS in Rack::QueryParser. (CVE-2025-46727)\nReDoS Vulnerability in Rack::Multipart handle_mime_head.\n(CVE-2025-49007)\nRack QueryParser has an unsafe default allowing params_limit bypass via\nsemicolon-separated parameters. (CVE-2025-59830)\nRack's unbounded multipart preamble buffering enables DoS (memory\nexhaustion). (CVE-2025-61770)\nRack's multipart parser buffers large non‑file fields entirely in\nmemory, enabling DoS (memory exhaustion). (CVE-2025-61771)\nRack's multipart parser buffers unbounded per-part headers, enabling DoS\n(memory exhaustion). (CVE-2025-61772)\nRack is vulnerable to a memory-exhaustion DoS through unbounded\nURL-encoded body parsing. (CVE-2025-61919)\nRack has Possible Information Disclosure Vulnerability. (CVE-2025-61780)\n","modified":"2026-04-16T00:11:48.692239582Z","published":"2025-12-29T20:41:12Z","upstream":["CVE-2025-46727","CVE-2025-49007","CVE-2025-59830","CVE-2025-61770","CVE-2025-61771","CVE-2025-61772","CVE-2025-61780","CVE-2025-61919"],"references":[{"type":"ADVISORY","url":"https://advisories.mageia.org/MGASA-2025-0334.html"},{"type":"REPORT","url":"https://bugs.mageia.org/show_bug.cgi?id=34755"},{"type":"WEB","url":"https://rack.github.io/rack/3.2/CHANGELOG_md.html"}],"affected":[{"package":{"name":"ruby-rack","ecosystem":"Mageia:9","purl":"pkg:rpm/mageia/ruby-rack?arch=source&distro=mageia-9"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.21-1.mga9"}]}],"ecosystem_specific":{"section":"core"},"database_specific":{"source":"https://advisories.mageia.org/MGASA-2025-0334.json"}}],"schema_version":"1.7.5","credits":[{"name":"Mageia","contact":["https://wiki.mageia.org/en/Packages_Security_Team"],"type":"COORDINATOR"}]}