Advisories » MGASA-2025-0334

Updated ruby-rack packages fix security vulnerabilities

Publication date: 29 Dec 2025
Modification date: 29 Dec 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-46727 , CVE-2025-49007 , CVE-2025-59830 , CVE-2025-61770 , CVE-2025-61771 , CVE-2025-61772 , CVE-2025-61919 , CVE-2025-61780

Description

Unbounded-Parameter DoS in Rack::QueryParser. (CVE-2025-46727)
ReDoS Vulnerability in Rack::Multipart handle_mime_head.
(CVE-2025-49007)
Rack QueryParser has an unsafe default allowing params_limit bypass via
semicolon-separated parameters. (CVE-2025-59830)
Rack's unbounded multipart preamble buffering enables DoS (memory
exhaustion). (CVE-2025-61770)
Rack's multipart parser buffers large non‑file fields entirely in
memory, enabling DoS (memory exhaustion). (CVE-2025-61771)
Rack's multipart parser buffers unbounded per-part headers, enabling DoS
(memory exhaustion). (CVE-2025-61772)
Rack is vulnerable to a memory-exhaustion DoS through unbounded
URL-encoded body parsing. (CVE-2025-61919)
Rack has Possible Information Disclosure Vulnerability. (CVE-2025-61780)

References

SRPMS

9/core