{"dataType": "CVE_RECORD", "cveMetadata": {"state": "PUBLISHED", "cveId": "CVE-2025-27219", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "assignerShortName": "mitre", "dateUpdated": "2025-11-03T21:13:23.842Z", "dateReserved": "2025-02-20T00:00:00.000Z", "datePublished": "2025-03-03T00:00:00.000Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "CGI", "vendor": "ruby-lang", "versions": [{"lessThan": "0.3.5.1", "status": "affected", "version": "0", "versionType": "custom"}, {"lessThan": "0.3.7", "status": "affected", "version": "0.3.6", "versionType": "custom"}, {"lessThan": "0.4.2", "status": "affected", "version": "0.4.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "value": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies."}], "problemTypes": [{"descriptions": [{"cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-03T23:38:00.413Z"}, "references": [{"url": "https://hackerone.com/reports/2936778"}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"}}], "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*", "versionEndExcluding": "0.3.5.1"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.3.6", "versionEndExcluding": "0.3.7"}, {"vulnerable": true, "criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*", "versionStartIncluding": "0.4.0", "versionEndExcluding": "0.4.2"}]}]}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-03-04T16:41:05.727608Z", "id": "CVE-2025-27219", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T16:41:20.234Z"}}, {"title": "CVE Program Container", "references": [{"url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2025-11-03T21:13:23.842Z"}}]}, "dataVersion": "5.2"}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-27219", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2025-03-04T16:41:05.727608Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-03-04T16:41:16.608Z"}}], "cna": {"metrics": [{"cvssV3_1": {"version": "3.1", "baseScore": 5.8, "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L"}}], "affected": [{"vendor": "ruby-lang", "product": "CGI", "versions": [{"status": "affected", "version": "0", "lessThan": "0.3.5.1", "versionType": "custom"}, {"status": "affected", "version": "0.3.6", "lessThan": "0.3.7", "versionType": "custom"}, {"status": "affected", "version": "0.4.0", "lessThan": "0.4.2", "versionType": "custom"}], "defaultStatus": "unaffected"}], "references": [{"url": "https://hackerone.com/reports/2936778"}, {"url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml"}], "x_generator": {"engine": "enrichogram 0.0.1"}, "descriptions": [{"lang": "en", "value": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-770", "description": "CWE-770 Allocation of Resources Without Limits or Throttling"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.3.5.1"}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.3.7", "versionStartIncluding": "0.3.6"}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.4.2", "versionStartIncluding": "0.4.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "shortName": "mitre", "dateUpdated": "2025-03-03T23:38:00.413Z"}}}, "cveMetadata": {"cveId": "CVE-2025-27219", "state": "PUBLISHED", "dateUpdated": "2025-03-04T16:41:20.234Z", "dateReserved": "2025-02-20T00:00:00.000Z", "assignerOrgId": "8254265b-2729-46b6-b9e3-3dfca2d5bfca", "datePublished": "2025-03-03T00:00:00.000Z", "assignerShortName": "mitre"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "E7161F63-FEE1-4803-A460-FE87E323B05D", "versionEndExcluding": "0.3.5.1", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:*:*:*:*:*:ruby:*:*", "matchCriteriaId": "A30117BA-C46E-44BB-A581-86E43F37D6E4", "versionEndExcluding": "0.4.2", "versionStartIncluding": "0.4.0", "vulnerable": true}, {"criteria": "cpe:2.3:a:ruby-lang:cgi:0.3.6:*:*:*:*:ruby:*:*", "matchCriteriaId": "8AE1C5F9-0743-49A2-8292-0018FEEF81E0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies."}, {"lang": "es", "value": "En la gema CGI anterior a la versi\u00f3n 0.4.2 para Ruby, el m\u00e9todo CGI::Cookie.parse de la librer\u00eda CGI contiene una posible vulnerabilidad de denegaci\u00f3n de servicio (DoS). El m\u00e9todo no impone ning\u00fan l\u00edmite en la longitud del valor de cookie sin procesar que procesa. Este descuido puede provocar un consumo excesivo de recursos al analizar cookies extremadamente grandes."}], "id": "CVE-2025-27219", "lastModified": "2025-11-03T22:18:43.473", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 5.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "CHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "cve@mitre.org", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2025-03-04T00:15:31.550", "references": [{"source": "cve@mitre.org", "tags": ["Third Party Advisory"], "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml"}, {"source": "cve@mitre.org", "tags": ["Permissions Required"], "url": "https://hackerone.com/reports/2936778"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html"}], "sourceIdentifier": "cve@mitre.org", "vulnStatus": "Modified", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-770"}], "source": "cve@mitre.org", "type": "Secondary"}, {"description": [{"lang": "en", "value": "CWE-770"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2025:8131", "cpe": "cpe:/o:redhat:enterprise_linux:10.0", "package": "ruby-0:3.3.8-10.el10_0", "product_name": "Red Hat Enterprise Linux 10", "release_date": "2025-05-26T00:00:00Z"}, {"advisory": "RHSA-2025:10217", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.3-8100020250414172630.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-07-02T00:00:00Z"}, {"advisory": "RHSA-2025:4063", "cpe": "cpe:/a:redhat:enterprise_linux:8", "package": "ruby:3.1-8100020250407112943.489197e6", "product_name": "Red Hat Enterprise Linux 8", "release_date": "2025-04-23T00:00:00Z"}, {"advisory": "RHSA-2025:4487", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby-0:3.0.7-165.el9_5", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4488", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby:3.1-9050020250404144903.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-06T00:00:00Z"}, {"advisory": "RHSA-2025:4493", "cpe": "cpe:/a:redhat:enterprise_linux:9", "package": "ruby:3.3-9050020250415095239.9", "product_name": "Red Hat Enterprise Linux 9", "release_date": "2025-05-06T00:00:00Z"}], "bugzilla": {"description": "CGI: Denial of Service in CGI::Cookie.parse", "id": "2349699", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2349699"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", "status": "verified"}, "cwe": "CWE-770", "details": ["In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes. This oversight can lead to excessive resource consumption when parsing extremely large cookies.", "A flaw was found in Ruby's CGI gem. Processing specially crafted large cookies with the CGI::Cookie.parse method can cause excessive resource consumption due to a missing limit on the length of the raw cookie value, resulting in a denial of service."], "mitigation": {"lang": "en:us", "value": "Do not process large cookies or strings with the CGI::Cookie.parse method from the CGI library. Adding a check to verify and limit the length of the cookie or string before processing it will mitigate this vulnerability."}, "name": "CVE-2025-27219", "package_state": [{"cpe": "cpe:/o:redhat:enterprise_linux:6", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 6"}, {"cpe": "cpe:/o:redhat:enterprise_linux:7", "fix_state": "Out of support scope", "package_name": "ruby", "product_name": "Red Hat Enterprise Linux 7"}, {"cpe": "cpe:/o:redhat:enterprise_linux:8", "fix_state": "Out of support scope", "package_name": "ruby:2.5/ruby", "product_name": "Red Hat Enterprise Linux 8"}], "public_date": "2025-03-03T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2025-27219\nhttps://nvd.nist.gov/vuln/detail/CVE-2025-27219\nhttps://www.ruby-lang.org/en/news/2025/02/26/security-advisories/"], "statement": "This issue will cause an excessive resource consumption, potentially resulting in a bad application performance. However, an attacker does have the ability to completely deny service to legitimate users. For this reason, this vulnerability has been rated with a moderate severity.\nWithin regulated environments, a combination of the following controls acts as a significant barrier to successfully exploiting a CWE-770: Allocation of Resources Without Limits or Throttling vulnerability and therefore downgrades the severity of this particular CVE from Moderate to Low.\nThe platform enforces hardening guidelines to apply the most restrictive settings required for operations, while baseline configurations maintain secure system and software states. A defense-in-depth monitoring strategy includes perimeter firewalls and endpoint protection services that detect excessive resource usage caused by malicious activity or system misconfigurations. In the event of exploitation, process isolation ensures workloads operate in separate environments, preventing any single process from overconsuming CPU or memory and degrading system performance.", "threat_severity": "Moderate"}