{
  "threat_severity" : "Moderate",
  "public_date" : "2025-09-25T14:37:06Z",
  "bugzilla" : {
    "description" : "rubygem-rack: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters",
    "id" : "2398167",
    "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2398167"
  },
  "cvss3" : {
    "cvss3_base_score" : "7.5",
    "cvss3_scoring_vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
    "status" : "verified"
  },
  "cwe" : "CWE-770",
  "details" : [ "Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly invoke Rack::QueryParser with its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector. This issue has been patched in version 2.2.18.", "An unsafe default behavior in Rack::QueryParser allows bypass of the params_limit parameter count restriction when query string parameters are delimited by semicolons (;) rather than ampersands (&). The parser counts only & when enforcing the limit, while still splitting on both & and ;. As a result, an attacker can supply a crafted HTTP query using ; delimiters to exceed the intended parameter count, potentially causing performance degradation or exhaustion of resources (denial of service)." ],
  "statement" : "The overall severity of this flaw is Moderate, because most Rack applications are not directly impacted. The vulnerability primarily affects applications or middleware that invoke Rack::QueryParser directly using its default configuration, which accepts both & and ; as parameter delimiters. This behavior can lead to excessive CPU or memory consumption, resulting only a limited denial-of-service condition.\nFor typical applications using Rack::Request, the default request-handling flow applies safe parsing logic and does not exhibit the vulnerable behavior.\nIn summary, while the theoretical severity is High, the practical impact is generally Moderate to Low for standard configurations.\n```\nAffectedness:\nIt should be noted that starting from Rack v3.x, the framework no longer splits query parameters on semicolons. This change was introduced in commit ef1fc0c44e6a4b77c8fcf9b4f3bfa09f04ae8482, effectively mitigating this issue in newer releases.\nRack 1.x is also not affected by this vulnerability. The vulnerable parsing logic was introduced in Rack 2.x; earlier versions use a simpler query parsing mechanism that does not expose the same resource exhaustion risk.\n```\n~~~\nAdditionally, Ruby 2.x and 3.x versions shipped with Red Hat Enterprise Linux are not affected, as they do not bundle the rack RubyGem by default. Rack is a third-party gem that must be installed separately.\n~~~",
  "affected_release" : [ {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-03T00:00:00Z",
    "advisory" : "RHSA-2025:19513",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.0",
    "package" : "pcs-0:0.12.0-3.el10_0.3"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:21036",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10.1",
    "package" : "pcs-0:0.12.1-1.el10_1.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19719",
    "cpe" : "cpe:/a:redhat:enterprise_linux:8::highavailability",
    "package" : "pcs-0:0.10.18-2.el8_10.7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Advanced Mission Critical Update Support",
    "release_date" : "2025-11-10T00:00:00Z",
    "advisory" : "RHSA-2025:19948",
    "cpe" : "cpe:/a:redhat:rhel_aus:8.4::highavailability",
    "package" : "pcs-0:0.10.8-1.el8_4.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.4 Extended Update Support Long-Life Add-On",
    "release_date" : "2025-11-10T00:00:00Z",
    "advisory" : "RHSA-2025:19948",
    "cpe" : "cpe:/a:redhat:rhel_eus_long_life:8.4::highavailability",
    "package" : "pcs-0:0.10.8-1.el8_4.8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Telecommunications Update Service",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19734",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.6::highavailability",
    "package" : "pcs-0:0.10.12-6.el8_6.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.6 Update Services for SAP Solutions",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19734",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.6::highavailability",
    "package" : "pcs-0:0.10.12-6.el8_6.10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Telecommunications Update Service",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19647",
    "cpe" : "cpe:/a:redhat:rhel_tus:8.8::highavailability",
    "package" : "pcs-0:0.10.15-4.el8_8.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8.8 Update Services for SAP Solutions",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19647",
    "cpe" : "cpe:/a:redhat:rhel_e4s:8.8::highavailability",
    "package" : "pcs-0:0.10.15-4.el8_8.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-03T00:00:00Z",
    "advisory" : "RHSA-2025:19512",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9::highavailability",
    "package" : "pcs-0:0.11.9-2.el9_6.2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "release_date" : "2025-11-11T00:00:00Z",
    "advisory" : "RHSA-2025:20962",
    "cpe" : "cpe:/a:redhat:enterprise_linux:9::highavailability",
    "package" : "pcs-0:0.11.10-1.el9_7.1"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.0 Update Services for SAP Solutions",
    "release_date" : "2025-11-05T00:00:00Z",
    "advisory" : "RHSA-2025:19800",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.0::highavailability",
    "package" : "pcs-0:0.11.1-10.el9_0.9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.2 Update Services for SAP Solutions",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19733",
    "cpe" : "cpe:/a:redhat:rhel_e4s:9.2::highavailability",
    "package" : "pcs-0:0.11.4-7.el9_2.6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9.4 Extended Update Support",
    "release_date" : "2025-11-04T00:00:00Z",
    "advisory" : "RHSA-2025:19736",
    "cpe" : "cpe:/a:redhat:rhel_eus:9.4::highavailability",
    "package" : "pcs-0:0.11.7-2.el9_4.5"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19856",
    "cpe" : "cpe:/a:redhat:satellite:6.15::el8",
    "package" : "rubygem-rack-0:2.2.20-1.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.15 for RHEL 8",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19856",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.15::el8",
    "package" : "rubygem-rack-0:2.2.20-1.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19855",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el8",
    "package" : "rubygem-rack-0:2.2.20-1.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 8",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19855",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el8",
    "package" : "rubygem-rack-0:2.2.20-1.el8sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19855",
    "cpe" : "cpe:/a:redhat:satellite:6.16::el9",
    "package" : "rubygem-rack-0:2.2.20-1.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.16 for RHEL 9",
    "release_date" : "2025-11-06T00:00:00Z",
    "advisory" : "RHSA-2025:19855",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.16::el9",
    "package" : "rubygem-rack-0:2.2.20-1.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-11-05T00:00:00Z",
    "advisory" : "RHSA-2025:19832",
    "cpe" : "cpe:/a:redhat:satellite:6.17::el9",
    "package" : "rubygem-rack-0:2.2.20-1.el9sat"
  }, {
    "product_name" : "Red Hat Satellite 6.17 for RHEL 9",
    "release_date" : "2025-11-05T00:00:00Z",
    "advisory" : "RHSA-2025:19832",
    "cpe" : "cpe:/a:redhat:satellite_capsule:6.17::el9",
    "package" : "rubygem-rack-0:2.2.20-1.el9sat"
  } ],
  "package_state" : [ {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/cluster-logging-operator-bundle",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/cluster-logging-rhel9-operator",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/eventrouter-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/fluentd-rhel8",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/fluentd-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/log-file-metric-exporter-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/logging-view-plugin-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "Logging Subsystem for Red Hat OpenShift",
    "fix_state" : "Not affected",
    "package_name" : "openshift-logging/vector-rhel9",
    "cpe" : "cpe:/a:redhat:logging:5"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/grafana-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/istio-cni-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/istio-must-gather-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/istio-operator-bundle",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/istio-rhel8-operator",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/pilot-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/proxyv2-rhel9",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "OpenShift Service Mesh 2",
    "fix_state" : "Out of support scope",
    "package_name" : "openshift-service-mesh/ratelimit-rhel8",
    "cpe" : "cpe:/a:redhat:service_mesh:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp21/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp22/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp24/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp25/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp26/zync",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp2/zync-rhel7",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp2/zync-rhel8",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat 3scale API Management Platform 2",
    "fix_state" : "Will not fix",
    "package_name" : "3scale-amp2/zync-rhel9",
    "cpe" : "cpe:/a:redhat:red_hat_3scale_amp:2"
  }, {
    "product_name" : "Red Hat Enterprise Linux 10",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:10"
  }, {
    "product_name" : "Red Hat Enterprise Linux 6",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:6"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "pcs",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 7",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:7"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ruby:2.5/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 8",
    "fix_state" : "Not affected",
    "package_name" : "ruby:3.3/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:8"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat Enterprise Linux 9",
    "fix_state" : "Not affected",
    "package_name" : "ruby:3.3/ruby",
    "cpe" : "cpe:/o:redhat:enterprise_linux:9"
  }, {
    "product_name" : "Red Hat OpenShift Container Platform 4",
    "fix_state" : "Not affected",
    "package_name" : "rhcos",
    "cpe" : "cpe:/a:redhat:openshift:4"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-cinder-backup",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-cinder-volume",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-haproxy",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-manila-share",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-mariadb",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-ovn-northd",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-rabbitmq",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat OpenStack Platform 13 (Queens)",
    "fix_state" : "Not affected",
    "package_name" : "rhosp13/openstack-redis",
    "cpe" : "cpe:/a:redhat:openstack:13"
  }, {
    "product_name" : "Red Hat Satellite 6",
    "fix_state" : "Affected",
    "package_name" : "satellite:el8/rubygem-rack",
    "cpe" : "cpe:/a:redhat:satellite:6"
  } ],
  "references" : [ "https://www.cve.org/CVERecord?id=CVE-2025-59830\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-59830\nhttps://github.com/rack/rack/commit/54e4ffdd5affebcb0c015cc6ae74635c0831ed71\nhttps://github.com/rack/rack/security/advisories/GHSA-625h-95r8-8xpm" ],
  "name" : "CVE-2025-59830",
  "mitigation" : {
    "value" : "No action is required for typical Rack applications that use the framework’s default request-handling mechanisms, as these are not impacted.\nFor custom implementations or middleware that directly invoke Rack::QueryParser, administrators should:\nUse explicit delimiters: Configure QueryParser to use a specific delimiter (e.g. &) rather than accepting both & and ;.\nLimit request size and parameters: Enforce request size and parameter count limits at upstream layers (such as a web server, reverse proxy, or WAF) to prevent excessive resource consumption.\nPrefer safe APIs: Use Rack::Request or other higher-level request parsing APIs, which apply safe defaults and avoid this vulnerability.",
    "lang" : "en:us"
  },
  "csaw" : false
}