CVE-2025-61772 is a denial-of-service vulnerability in Rack’s multipart form-data handling, specifically in Rack::Multipart::Parser. In affected versions prior to 2.2.19, 3.1.17, and 3.2.2, the parser accumulates multipart part header data in memory until it encounters the required header terminator sequence (CRLFCRLF). If an attacker sends a multipart request in which a part’s header block never terminates correctly, the parser continues appending incoming bytes without an effective upper bound. This results in unbounded memory growth during request parsing. The issue affects Rack-based Ruby web applications that process multipart uploads. Patched releases add a per-part MIME header size limit, cited as 64 KiB, and reject oversized or unterminated part headers instead of buffering indefinitely.
Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.
What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.
What an attacker gets, and what they’ve been doing with it.
If you can’t patch tonight, do this now.
client_max_body_size. More generally, limit exposure of endpoints that accept multipart uploads and apply conservative upload and concurrency limits until patched.Patch, then assume compromise.
No public exploits tracked yet. Mallory keeps watching.
No public exploit code observed for this vulnerability.
Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.
Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.
10 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A related Rack vulnerability involving multipart header parsing, mentioned as part of Rack's security history.
A denial-of-service vulnerability in Rack's multipart form-data parser that allows remote attackers to trigger unbounded memory consumption by sending multipart parts with headers that never terminate with the required blank line.
Query your assets running an affected version, and investigate the blast radius.
Every observed campaign linking this CVE to a named adversary.
Malware families riding this exploit, with evidence and IOCs.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Cross-references every affected SKU, including bundled OEM variants.
Community discussion across Reddit, Mastodon, and other social sources.