ruby3.4-rubygem-rack-2.2-2.2.14-1.1 on GA media SUSE Patch security@suse.de SUSE Security Team openSUSE-SU-2025:16129 Final 1 1 2025-05-08T00:00:00Z current 2025-05-08T00:00:00Z 2025-05-08T00:00:00Z cve-database/bin/generate-cvrf.pl 2017-02-24T01:00:00Z ruby3.4-rubygem-rack-2.2-2.2.14-1.1 on GA media These are all security issues fixed in the ruby3.4-rubygem-rack-2.2-2.2.14-1.1 package on the GA media of openSUSE Tumbleweed. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). openSUSE-Tumbleweed-2025-16129 Copyright SUSE LLC under the Creative Commons License 4.0 with Attribution (CC-BY-4.0) https://www.suse.com/support/security/rating/ SUSE Security Ratings https://www.suse.com/security/cve/CVE-2025-46727/ SUSE CVE CVE-2025-46727 page openSUSE Tumbleweed ruby3.4-rubygem-rack-2.2-2.2.14-1.1 ruby3.4-rubygem-rack-2.2-2.2.14-1.1 as a component of openSUSE Tumbleweed Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing. An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted. Versions 2.2.14, 3.0.16, and 3.1.14 fix the issue. Some other mitigations are available. One may use middleware to enforce a maximum query string size or parameter count, or employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies. Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation. CVE-2025-46727 openSUSE Tumbleweed:ruby3.4-rubygem-rack-2.2-2.2.14-1.1 moderate To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or "zypper patch". https://www.suse.com/security/cve/CVE-2025-46727.html CVE-2025-46727 https://bugzilla.suse.com/1242891 SUSE Bug 1242891