3 matches found
CVE-2026-54892 Plug: quadratic-time decoding of nested query/body parameters enables denial of service
Inefficient algorithmic complexity in Plug's nested-parameter decoder allows an unauthenticated remote attacker to cause denial of service. Plug.Conn.Query.decode/4 and Plug.Conn.Query.decodeeach/2 parse query strings and application/x-www-form-urlencoded request bodies. When a key contains many...
Updated ruby-rack packages fix security vulnerabilities
Unbounded-Parameter DoS in Rack::QueryParser. CVE-2025-46727 ReDoS Vulnerability in Rack::Multipart handlemimehead. CVE-2025-49007 Rack QueryParser has an unsafe default allowing paramslimit bypass via semicolon-separated parameters. CVE-2025-59830 Rack's unbounded multipart preamble buffering...
CVE-2025-61919
CVE-2025-61919 : Rack’s Rack::Request#POST reads the entire body into memory for application/x-www-form-urlencoded and can cause DoS via memory exhaustion in affected versions prior to 2.2.20, 3.1.18, and 3.2.3. The fix enforces form parameter limits (query_parser.bytesize_limit) and prevents unb...