MEDIUM 5.8 RubyGems
CGI has Denial of Service (DoS) potential in Cookie.parse
GHSA-gh9q-2xrm-x6qv · CVE-2025-27219
Published · Modified
Description
There is a possibility for DoS by in the cgi gem.
This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.
Details
CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.
Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.
Affected versions
cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.
Credits
Thanks to lio346 for discovering this issue.
Also thanks to mame for fixing this vulnerability.
References
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2025-27219
- WEB https://github.com/ruby/cgi/pull/52
- WEB https://github.com/ruby/cgi/pull/53
- WEB https://github.com/ruby/cgi/pull/54
- WEB https://hackerone.com/reports/2936778
- PACKAGE https://github.com/ruby/cgi
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml
- WEB https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html
- WEB https://www.cve.org/CVERecord?id=CVE-2025-27219
Ready to move
Start Securing
Free, no credit card | First findings in minutes