-
-
Notifications
You must be signed in to change notification settings - Fork 220
/
Copy pathCVE-2025-27219.yml
38 lines (31 loc) · 1.07 KB
/
CVE-2025-27219.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
---
gem: cgi
cve: 2025-27219
ghsa: gh9q-2xrm-x6qv
url: https://www.cve.org/CVERecord?id=CVE-2025-27219
title: CVE-2025-27219 - Denial of Service in CGI::Cookie.parse
date: 2025-02-26
description: |
There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier
CVE-2025-27219. We recommend upgrading the cgi gem.
## Details
CGI::Cookie.parse took super-linear time to parse a cookie string
in some cases. Feeding a maliciously crafted cookie string into
the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
## Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
## Credits
Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
cvss_v3: 5.8
patched_versions:
- "~> 0.3.5.1"
- "~> 0.3.7"
- ">= 0.4.2"
related:
url:
- https://www.cve.org/CVERecord?id=CVE-2025-27219
- https://www.suse.com/security/cve/CVE-2025-27219.html
- https://www.ruby-lang.org/en/news/2025/02/26/security-advisories