CVE-2025-27219

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.

CVSS v3 5.8 MEDIUM

5.8^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 3.9 / Impact : 1.4

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact NONE

Integrity Impact NONE

Availability Impact LOW

Scope CHANGED

References

Link	Resource
https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml	Third Party Advisory
https://hackerone.com/reports/2936778	Permissions Required

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:ruby-lang:cgi::::::ruby::*
	cpe:2.3:a:ruby-lang:cgi::::::ruby::*
	cpe:2.3:a:ruby-lang:cgi:0.3.6:::::ruby::

History

05 Mar 2025, 14:05

Type	Values Removed	Values Added
Summary		(es) En la gema CGI anterior a la versión 0.4.2 para Ruby, el método CGI::Cookie.parse de la librería CGI contiene una posible vulnerabilidad de denegación de servicio (DoS). El método no impone ningún límite en la longitud del valor de cookie sin procesar que procesa. Este descuido puede provocar un consumo excesivo de recursos al analizar cookies extremadamente grandes.
References	~~() https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml -~~	() https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml - Third Party Advisory
References	~~() https://hackerone.com/reports/2936778 -~~	() https://hackerone.com/reports/2936778 - Permissions Required
First Time		Ruby-lang cgi Ruby-lang
CPE		cpe:2.3:a:ruby-lang:cgi::::::ruby::* cpe:2.3:a:ruby-lang:cgi:0.3.6:::::ruby::

04 Mar 2025, 00:15

Type	Values Removed	Values Added
New CVE

Information

Published : 2025-03-04 00:15

Updated : 2025-03-05 14:05

NVD link : CVE-2025-27219

Mitre link : CVE-2025-27219

CVE.ORG link : CVE-2025-27219

JSON object : View

Products Affected

ruby-lang

cgi

CWE

CWE-770

Allocation of Resources Without Limits or Throttling

{"id": "CVE-2025-27219", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "cve@mitre.org", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.8, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 1.4, "exploitabilityScore": 3.9}, {"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}, "impactScore": 3.6, "exploitabilityScore": 3.9}]}, "published": "2025-03-04T00:15:31.550", "references": [{"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml", "tags": ["Third Party Advisory"], "source": "cve@mitre.org"}, {"url": "https://hackerone.com/reports/2936778", "tags": ["Permissions Required"], "source": "cve@mitre.org"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "cve@mitre.org", "description": [{"lang": "en", "value": "CWE-770"}]}, {"type": "Secondary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-770"}]}], "descriptions": [{"lang": "en", "value": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies."}, {"lang": "es", "value": "En la gema CGI anterior a la versi\u00f3n 0.4.2 para Ruby, el m\u00e9todo CGI::Cookie.parse de la librer\u00eda CGI contiene una posible vulnerabilidad de denegaci\u00f3n de servicio (DoS). El m\u00e9todo no impone ning\u00fan l\u00edmite en la longitud del valor de cookie sin procesar que procesa. Este descuido puede provocar un consumo excesivo de recursos al analizar cookies extremadamente grandes."}], "lastModified": "2025-03-05T14:05:15.387", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "E7161F63-FEE1-4803-A460-FE87E323B05D", "versionEndExcluding": "0.3.5.1"}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "A30117BA-C46E-44BB-A581-86E43F37D6E4", "versionEndExcluding": "0.4.2", "versionStartIncluding": "0.4.0"}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:0.3.6:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "8AE1C5F9-0743-49A2-8292-0018FEEF81E0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}