{"id":"USN-7960-1","summary":"ruby-rack vulnerabilities","details":"It was discovered that Rack incorrectly handled certain query parameters.\nAn attacker could possibly use this issue to cause a limited denial of\nservice. This issue was only addressed in Ubuntu 20.04 LTS and\nUbuntu 22.04 LTS. (CVE-2025-59830)\n\nIt was discovered that Rack did not properly handle certain multipart\nform data. An attacker could possibly use this issue to cause memory\nexhaustion, leading to a denial of service. This issue was only addressed\nin Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.\n(CVE-2025-61770, CVE-2025-61772)\n\nIt was discovered that Rack did not properly handle certain form fields.\nAn attacker could possibly use this issue to cause memory exhaustion,\nleading to a denial of service. This issue was only addressed in Ubuntu\n22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-61771)\n\nIt was discovered that Rack did not properly handle certain headers. An\nattacker could possibly use this issue to bypass proxy access\nrestrictions and obtain sensitive information. (CVE-2025-61780)\n\nTomoya Yamashita discovered that Rack did not properly manage memory\nunder certain circumstances. An attacker could possibly use this issue to\ncause memory exhaustion, leading to a denial of service. This issue was\nonly addressed in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS\nand Ubuntu 25.10. (CVE-2025-61919)","modified":"2026-02-10T04:50:48Z","published":"2026-01-14T09:59:03Z","related":["UBUNTU-CVE-2025-46727","UBUNTU-CVE-2025-59830","UBUNTU-CVE-2025-61770","UBUNTU-CVE-2025-61771","UBUNTU-CVE-2025-61772","UBUNTU-CVE-2025-61780","UBUNTU-CVE-2025-61919"],"upstream":["CVE-2025-59830","CVE-2025-61770","CVE-2025-61771","CVE-2025-61772","CVE-2025-61780","CVE-2025-61919","UBUNTU-CVE-2025-59830","UBUNTU-CVE-2025-61770","UBUNTU-CVE-2025-61771","UBUNTU-CVE-2025-61772","UBUNTU-CVE-2025-61780","UBUNTU-CVE-2025-61919"],"references":[{"type":"ADVISORY","url":"https://ubuntu.com/security/notices/USN-7960-1"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-59830"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-61770"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-61771"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-61772"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-61780"},{"type":"REPORT","url":"https://ubuntu.com/security/CVE-2025-61919"}],"affected":[{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:16.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@1.6.4-3ubuntu0.2+esm9?arch=source&distro=esm-apps/xenial"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.4-3ubuntu0.2+esm9"}]}],"versions":["1.5.2-4","1.6.4-2","1.6.4-3","1.6.4-3ubuntu0.1","1.6.4-3ubuntu0.2","1.6.4-3ubuntu0.2+esm1","1.6.4-3ubuntu0.2+esm2","1.6.4-3ubuntu0.2+esm4","1.6.4-3ubuntu0.2+esm5","1.6.4-3ubuntu0.2+esm6","1.6.4-3ubuntu0.2+esm7","1.6.4-3ubuntu0.2+esm8"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.6.4-3ubuntu0.2+esm9","binary_name":"ruby-rack"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7960-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61780"}],"ecosystem":"Ubuntu:Pro:16.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:18.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@1.6.4-4ubuntu0.2+esm9?arch=source&distro=esm-apps/bionic"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"1.6.4-4ubuntu0.2+esm9"}]}],"versions":["1.6.4-4","1.6.4-4ubuntu0.1","1.6.4-4ubuntu0.2","1.6.4-4ubuntu0.2+esm1","1.6.4-4ubuntu0.2+esm2","1.6.4-4ubuntu0.2+esm4","1.6.4-4ubuntu0.2+esm5","1.6.4-4ubuntu0.2+esm6","1.6.4-4ubuntu0.2+esm7","1.6.4-4ubuntu0.2+esm8"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"1.6.4-4ubuntu0.2+esm9","binary_name":"ruby-rack"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7960-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61780"}],"ecosystem":"Ubuntu:Pro:18.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:Pro:20.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@2.0.7-2ubuntu0.1+esm8?arch=source&distro=esm-apps/focal"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.0.7-2ubuntu0.1+esm8"}]}],"versions":["2.0.6-3","2.0.7-2","2.0.7-2ubuntu0.1","2.0.7-2ubuntu0.1+esm1","2.0.7-2ubuntu0.1+esm2","2.0.7-2ubuntu0.1+esm3","2.0.7-2ubuntu0.1+esm4","2.0.7-2ubuntu0.1+esm5","2.0.7-2ubuntu0.1+esm6","2.0.7-2ubuntu0.1+esm7"],"ecosystem_specific":{"availability":"Available with Ubuntu Pro: https://ubuntu.com/pro","binaries":[{"binary_version":"2.0.7-2ubuntu0.1+esm8","binary_name":"ruby-rack"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7960-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-59830"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61780"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61919"}],"ecosystem":"Ubuntu:Pro:20.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:22.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@2.1.4-5ubuntu1.2?arch=source&distro=jammy"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.1.4-5ubuntu1.2"}]}],"versions":["2.1.4-3","2.1.4-4","2.1.4-5","2.1.4-5ubuntu1","2.1.4-5ubuntu1.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.1.4-5ubuntu1.2","binary_name":"ruby-rack"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7960-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-59830"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61770"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61771"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61772"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61780"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61919"}],"ecosystem":"Ubuntu:22.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:24.04:LTS","purl":"pkg:deb/ubuntu/ruby-rack@2.2.7-1ubuntu0.5?arch=source&distro=noble"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.7-1ubuntu0.5"}]}],"versions":["2.2.4-3","2.2.7-1","2.2.7-1ubuntu0.1","2.2.7-1ubuntu0.2","2.2.7-1ubuntu0.3","2.2.7-1ubuntu0.4"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"2.2.7-1ubuntu0.5","binary_name":"ruby-rack"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7960-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61770"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61771"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61772"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61780"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61919"}],"ecosystem":"Ubuntu:24.04:LTS"}}},{"package":{"name":"ruby-rack","ecosystem":"Ubuntu:25.10","purl":"pkg:deb/ubuntu/ruby-rack@3.1.16-0.1ubuntu0.1?arch=source&distro=questing"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.1.16-0.1ubuntu0.1"}]}],"versions":["2.2.7-1.1","3.1.16-0.1"],"ecosystem_specific":{"availability":"No subscription required","binaries":[{"binary_version":"3.1.16-0.1ubuntu0.1","binary_name":"ruby-rack"}]},"database_specific":{"source":"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/usn/USN-7960-1.json","cves_map":{"cves":[{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61770"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61771"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61772"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N"},{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61780"},{"severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"},{"type":"Ubuntu","score":"medium"}],"id":"CVE-2025-61919"}],"ecosystem":"Ubuntu:25.10"}}}],"schema_version":"1.7.3"}