CVE-2025-27219 (cgi): CVE-2025-27219 - Denial of Service in CGI::Cookie.parse

CVE-2025-27219 - Denial of Service in CGI::Cookie.parse

Published: February 26, 2025

SECURITY IDENTIFIERS

CVE: CVE-2025-27219 (NVD)
GHSA: GHSA-gh9q-2xrm-x6qv

GEM

cgi

SEVERITY

CVSS v3.x: 5.8 (Medium)

PATCHED VERSIONS

~> 0.3.5.1 ~> 0.3.7 >= 0.4.2

DESCRIPTION

There is a possibility for DoS by in the cgi gem. This vulnerability has been assigned the CVE identifier CVE-2025-27219. We recommend upgrading the cgi gem.

Details

CGI::Cookie.parse took super-linear time to parse a cookie string in some cases. Feeding a maliciously crafted cookie string into the method could lead to a Denial of Service.

Please update CGI gem to version 0.3.5.1, 0.3.7, 0.4.2 or later.

Affected versions

cgi gem versions <= 0.3.5, 0.3.6, 0.4.0 and 0.4.1.

Credits

Thanks to lio346 for discovering this issue. Also thanks to mame for fixing this vulnerability.

https://www.cve.org/CVERecord?id=CVE-2025-27219
https://www.suse.com/security/cve/CVE-2025-27219.html
https://hackerone.com/reports/3013913
https://www.ruby-lang.org/en/news/2025/02/26/security-advisories

RubySec