Cyber Resilience

CVE-2025-27219

Medium

Published: 04 March 2025

Published
04 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0035 57.8th percentile
Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27219 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ruby-Lang Cgi. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 42.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2025-27219 is a Denial of Service (DoS) vulnerability in the CGI gem for Ruby versions before 0.4.2. Specifically, the CGI::Cookie.parse method in the CGI library fails to impose limits on the length of raw cookie values during parsing, allowing excessive resource consumption when processing extremely large cookies. This issue is cataloged under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers with network access to a vulnerable Ruby application using the affected CGI gem. By sending HTTP requests containing oversized cookie values, an attacker can trigger high CPU or memory usage during parsing, leading to degraded performance or temporary service denial on the target system. No user interaction is required, and the low attack complexity makes it feasible for remote exploitation.

Advisories recommend upgrading to CGI gem version 0.4.2 or later to mitigate the issue, as documented in the ruby-advisory-db entry (https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml), the originating HackerOne report (https://hackerone.com/reports/2936778), and Debian LTS announcements (https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html).

EU & UK References

Vulnerability details

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes.…

more

This oversight can lead to excessive resource consumption when parsing extremely large cookies.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

The CVE describes a DoS vulnerability due to excessive resource consumption from parsing large cookies in Ruby's CGI gem, enabling application-level endpoint denial of service via exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2025-27788Same vendor: Ruby-Lang
CVE-2025-27220Same product: Ruby-Lang Cgi
CVE-2026-46727Same vendor: Ruby-Lang
CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770

Affected Assets

ruby-lang
cgi
0.3.6 · ≤ 0.3.5.1 · 0.4.0 — 0.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely installation of security updates, directly mitigating the vulnerability by upgrading the CGI gem to version 0.4.2 or later where cookie parsing limits are enforced.

prevent

Implements denial-of-service protections to limit effects of resource exhaustion attacks from oversized cookie values.

prevent

Restricts the amount and characteristics of input information such as cookie sizes to prevent excessive resource consumption during parsing.

References