Skip to content

GHSA SYNC: 1 brand new advisory #904

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 1 commit into from
Sep 26, 2025
+58 −0
Merged

GHSA SYNC: 1 brand new advisory #904

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
58 changes: 58 additions & 0 deletions gems/rack/CVE-2025-59830.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,58 @@
---
gem: rack
cve: 2025-59830
ghsa: 625h-95r8-8xpm
url: https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
title: Rack has an unsafe default in Rack::QueryParser allows
params_limit bypass via semicolon-separated parameters
date: 2025-09-25
description: |
## Summary

`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit`
only for parameters separated by `&`, while still splitting on both
`&` and `;`. As a result, attackers could use `;` separators to
bypass the parameter count limit and submit more parameters than intended.

## Details

The issue arises because `Rack::QueryParser#check_query_string`
counts only `&` characters when determining the number of parameters,
but the default separator regex `DEFAULT_SEP = /[&;] */n` splits on
both `&` and `;`. This mismatch means that queries using `;`
separators were not included in the parameter count, allowing
`params_limit` to be bypassed.

Other safeguards (`bytesize_limit` and `key_space_limit`) still
applied, but did not prevent this particular bypass.

## Impact

Applications or middleware that directly invoke `Rack::QueryParser`
with its default configuration (no explicit delimiter) could be
exposed to increased CPU and memory consumption. This can be abused
as a limited denial-of-service vector.

`Rack::Request`, the primary entry point for typical Rack applications,
uses `QueryParser` in a safe way and does not appear vulnerable by
default. As such, the severity is considered **low**, with the impact
limited to edge cases where `QueryParser` is used directly.

## Mitigation

* Upgrade to a patched version of Rack where both `&` and `;` are
counted consistently toward `params_limit`.
* If upgrading is not immediately possible, configure `QueryParser`
with an explicit delimiter (e.g., `&`) to avoid the mismatch.
* As a general precaution, enforce query string and request size
limits at the web server or proxy layer (e.g., Nginx, Apache, or
a CDN) to mitigate excessive parsing overhead.
cvss_v3: 7.5
patched_versions:
- ">= 2.2.18"
related:
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-59830
- https://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm
- https://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71
- https://github.com/advisories/GHSA-625h-95r8-8xpm