USN-7960-1: Rack vulnerabilities

USN-7960-1: Rack vulnerabilities

Publication date: 14 January 2026
Overview: Several security issues were fixed in Rack.

Packages
ruby-rack - modular Ruby webserver interface

Details
It was discovered that Rack incorrectly handled certain query parameters.
An attacker could possibly use this issue to cause a limited denial of
service. This issue was only addressed in Ubuntu 20.04 LTS and
Ubuntu 22.04 LTS. (CVE-2025-59830)

It was discovered that Rack did not properly handle certain multipart
form data. An attacker could possibly use this issue to cause memory
exhaustion, leading to a denial of service. This issue was only addressed
in Ubuntu 22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10.
(CVE-2025-61770, CVE-2025-61772)

It was discovered that Rack did not properly handle certain form fields.
An attacker could possibly use this issue to cause memory exhaustion,
leading to a denial of service. This issue was only addressed in Ubuntu
22.04 LTS, Ubuntu 24.04 LTS and Ubuntu 25.10. (CVE-2025-61771)

It was discovered that Rack did not properly handle certain headers. An
attacker could possibly use this issue to bypass proxy access
restrictions and obtain sensitive information. (CVE-2025-61780)

Tomoya Yamashita discovered that Rack did not properly manage memory
under certain circumstances. An attacker could possibly use this issue to
cause memory exhaustion, leading to a denial of service. This issue was
only addressed in Ubuntu 20.04 LTS, Ubuntu 22.04 LTS, Ubuntu 24.04 LTS
and Ubuntu 25.10. (CVE-2025-61919)

Update instructions
In general, a standard system update will make all the necessary changes.

The problem can be corrected by updating your system to the following package versions:

• 25.10 questing ruby-rack – 3.1.16-0.1ubuntu0.1
• 24.04 LTS noble ruby-rack – 2.2.7-1ubuntu0.5
• 22.04 LTS jammy ruby-rack – 2.1.4-5ubuntu1.2
• 20.04 LTS focal ruby-rack – 2.0.7-2ubuntu0.1+esm8
• 18.04 LTS bionic ruby-rack – 1.6.4-4ubuntu0.2+esm9
• 16.04 LTS xenial ruby-rack – 1.6.4-3ubuntu0.2+esm9