chore(deps): update dependency rack to v2.2.18 [security]#2582
Merged
renovate[bot] merged 1 commit intomainfrom Sep 25, 2025
Merged
chore(deps): update dependency rack to v2.2.18 [security]#2582renovate[bot] merged 1 commit intomainfrom
renovate[bot] merged 1 commit intomainfrom
Conversation
Loading
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Coming soon: The Renovate bot (GitHub App) will be renamed to Mend. PRs from Renovate will soon appear from 'Mend'. Learn more here.
This PR contains the following updates:
2.2.17->2.2.18GitHub Vulnerability Alerts
CVE-2025-59830
Summary
Rack::QueryParserin version< 2.2.18enforces itsparams_limitonly for parameters separated by&, while still splitting on both∧. As a result, attackers could use;separators to bypass the parameter count limit and submit more parameters than intended.Details
The issue arises because
Rack::QueryParser#check_query_stringcounts only&characters when determining the number of parameters, but the default separator regexDEFAULT_SEP = /[&;] */nsplits on both∧. This mismatch means that queries using;separators were not included in the parameter count, allowingparams_limitto be bypassed.Other safeguards (
bytesize_limitandkey_space_limit) still applied, but did not prevent this particular bypass.Impact
Applications or middleware that directly invoke
Rack::QueryParserwith its default configuration (no explicit delimiter) could be exposed to increased CPU and memory consumption. This can be abused as a limited denial-of-service vector.Rack::Request, the primary entry point for typical Rack applications, usesQueryParserin a safe way and does not appear vulnerable by default. As such, the severity is considered low, with the impact limited to edge cases whereQueryParseris used directly.Mitigation
∧are counted consistently towardparams_limit.QueryParserwith an explicit delimiter (e.g.,&) to avoid the mismatch.Release Notes
rack/rack (rack)
v2.2.18Compare Source
Configuration
📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).
🚦 Automerge: Enabled.
♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.