Bug 2402174 (CVE-2025-61770)

Summary: CVE-2025-61770 rack: Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
Product: [Other] Security Response Reporter: OSIDB Bzimport <bzimport>
Component: vulnerabilityAssignee: Product Security DevOps Team <prodsec-dev>
Status: NEW --- QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: akostadi, amasferr, crizzo, dmayorov, eglynn, jcantril, jjoyce, jkoehler, jlledo, jschluet, jvasik, kaycoth, lhh, lphiri, lsvaty, mburns, mgarciac, mkudlej, mmakovy, pantinor, pgrist, rblanco, rojacob, sdawley, tjochec, tsedmik, vmugicag
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: ---
Doc Text:
A flaw was found in Rack where the Rack::Multipart::Parser buffers the multipart preamble memory without size limits. A remote attacker can send a crafted multipart/form-data request with a very large preamble before its first boundary, causing excessive memory consumption and denial of service crash due to out-of-memory issue.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description OSIDB Bzimport 2025-10-07 15:01:46 UTC 
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. Remote attackers can trigger large transient memory spikes by including a long preamble in multipart/form-data requests. The impact scales with allowed request sizes and concurrency, potentially causing worker crashes or severe slowdown due to garbage collection. Versions 2.2.19, 3.1.17, and 3.2.2 enforce a preamble size limit (e.g., 16 KiB) or discard preamble data entirely. Workarounds include limiting total request body size at the proxy or web server level and monitoring memory and set per-process limits to prevent OOM conditions.
Comment 2 errata-xmlrpc 2025-11-03 20:11:10 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:19513 https://access.redhat.com/errata/RHSA-2025:19513
Comment 3 errata-xmlrpc 2025-11-03 20:18:24 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:19512 https://access.redhat.com/errata/RHSA-2025:19512
Comment 4 errata-xmlrpc 2025-11-04 11:16:19 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.8 Telecommunications Update Service

Via RHSA-2025:19647 https://access.redhat.com/errata/RHSA-2025:19647
Comment 5 errata-xmlrpc 2025-11-04 17:00:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2025:19719 https://access.redhat.com/errata/RHSA-2025:19719
Comment 6 errata-xmlrpc 2025-11-04 19:47:33 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions

Via RHSA-2025:19733 https://access.redhat.com/errata/RHSA-2025:19733
Comment 7 errata-xmlrpc 2025-11-04 19:58:26 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions
  Red Hat Enterprise Linux 8.6 Telecommunications Update Service

Via RHSA-2025:19734 https://access.redhat.com/errata/RHSA-2025:19734
Comment 8 errata-xmlrpc 2025-11-04 23:33:42 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.4 Extended Update Support

Via RHSA-2025:19736 https://access.redhat.com/errata/RHSA-2025:19736
Comment 9 errata-xmlrpc 2025-11-05 13:07:46 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions

Via RHSA-2025:19800 https://access.redhat.com/errata/RHSA-2025:19800
Comment 10 errata-xmlrpc 2025-11-10 01:34:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support
  Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On

Via RHSA-2025:19948 https://access.redhat.com/errata/RHSA-2025:19948
Comment 11 errata-xmlrpc 2025-11-11 15:01:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2025:20962 https://access.redhat.com/errata/RHSA-2025:20962
Comment 12 errata-xmlrpc 2025-11-11 19:49:00 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 10

Via RHSA-2025:21036 https://access.redhat.com/errata/RHSA-2025:21036
Comment 14 errata-xmlrpc 2025-11-18 14:39:20 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7 Extended Lifecycle Support

Via RHSA-2025:21696 https://access.redhat.com/errata/RHSA-2025:21696