Lucene search
K

7 matches found

OSV
OSV
added 2026/06/15 8:19 p.m.7 views

GHSA-MGF9-4VPG-HJ56 tornado AsyncHTTPClient accumulates decompressed chunks without size limit (gzip bomb)

Tornado's gzip decompression routines work in limited-size chunks, but have no overall limit for the total size of decompressed chunks that they will accumulate There has always been a limit for the total compressed size. This allows a malicious server to consume effectively unlimited amounts of...

7.5CVSS5.4AI score0.00052EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/03/11 7:27 p.m.5 views

CVE-2026-31958 Tornado has a DoS due to too many multipart parts

Tornado is a Python web framework and asynchronous networking library. In versions of Tornado prior to 6.5.5, the only limit on the number of parts in multipart/form-data is the maxbodysize setting default 100MB. Since parsing occurs synchronously on the main thread, this creates the possibility ...

8.7CVSS5.8AI score0.00375EPSS
Exploits0References1
NVD
NVD
added 2025/10/10 8:15 p.m.6 views

CVE-2025-61919

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefo...

7.5CVSS0.00605EPSS
Exploits0References4
CVE
CVE
added 2025/10/10 7:22 p.m.45 views

CVE-2025-61919

CVE-2025-61919 : Rack’s Rack::Request#POST reads the entire body into memory for application/x-www-form-urlencoded and can cause DoS via memory exhaustion in affected versions prior to 2.2.20, 3.1.18, and 3.2.3. The fix enforces form parameter limits (query_parser.bytesize_limit) and prevents unb...

7.5CVSS6.4AI score0.00605EPSS
Exploits0References4Affected Software1
Debian CVE
Debian CVE
added 2025/10/10 7:22 p.m.3 views

CVE-2025-61919

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling rack.input.readnil without enforcing a length or cap. Large request bodies can therefo...

7.5CVSS6.4AI score0.00605EPSS
Exploits0
Vulnrichment
Vulnrichment
added 2025/10/07 2:42 p.m.5 views

CVE-2025-61771 Rack's multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser stores non-file form fields parts without a filename entirely in memory as Ruby String objects. A single large text field in a multipart/form-data request hundreds of megabytes or...

7.5CVSS6.3AI score0.00528EPSS
Exploits0References4
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2023-48736

Malicious code in bioql PyPI...

7.5CVSS7.5AI score0.00531EPSS
Exploits0References2
Rows per page
Query Builder