Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:19513 https://access.redhat.com/errata/RHSA-2025:19513
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:19512 https://access.redhat.com/errata/RHSA-2025:19512
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions Red Hat Enterprise Linux 8.8 Telecommunications Update Service Via RHSA-2025:19647 https://access.redhat.com/errata/RHSA-2025:19647
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2025:19719 https://access.redhat.com/errata/RHSA-2025:19719
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions Via RHSA-2025:19733 https://access.redhat.com/errata/RHSA-2025:19733
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.6 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions Red Hat Enterprise Linux 8.6 Telecommunications Update Service Via RHSA-2025:19734 https://access.redhat.com/errata/RHSA-2025:19734
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.4 Extended Update Support Via RHSA-2025:19736 https://access.redhat.com/errata/RHSA-2025:19736
This issue has been addressed in the following products: Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions Via RHSA-2025:19800 https://access.redhat.com/errata/RHSA-2025:19800
This issue has been addressed in the following products: Red Hat Satellite 6.17 for RHEL 9 Via RHSA-2025:19832 https://access.redhat.com/errata/RHSA-2025:19832
This issue has been addressed in the following products: Red Hat Satellite 6.16 for RHEL 8 Red Hat Satellite 6.16 for RHEL 9 Via RHSA-2025:19855 https://access.redhat.com/errata/RHSA-2025:19855
This issue has been addressed in the following products: Red Hat Satellite 6.15 for RHEL 8 Via RHSA-2025:19856 https://access.redhat.com/errata/RHSA-2025:19856
This issue has been addressed in the following products: Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On Via RHSA-2025:19948 https://access.redhat.com/errata/RHSA-2025:19948
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2025:20962 https://access.redhat.com/errata/RHSA-2025:20962
This issue has been addressed in the following products: Red Hat Enterprise Linux 10 Via RHSA-2025:21036 https://access.redhat.com/errata/RHSA-2025:21036