CVE-2025-27219

Medium

Published: 04 March 2025

Published

04 March 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 5.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L

EPSS Score 0.0039 59.9th percentile

Risk Priority 12 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27219 is a medium-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Ruby-Lang Cgi. Its CVSS base score is 5.8 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked in the top 40.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application or System Exploitation (T1499.004). AI-specific risk: MITRE ATLAS External Harms (AML.T0048). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires timely installation of security updates, directly mitigating the vulnerability by upgrading the CGI gem to version 0.4.2 or later where cookie parsing limits are enforced.

SC-5 Denial-of-service Protection good match

prevent

Implements denial-of-service protections to limit effects of resource exhaustion attacks from oversized cookie values.

SI-9 Information Input Restrictions good match

prevent

Restricts the amount and characteristics of input information such as cookie sizes to prevent excessive resource consumption during parsing.

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact

Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.

attack.mitre.org →

Why these techniques?

The CVE describes a DoS vulnerability due to excessive resource consumption from parsing large cookies in Ruby's CGI gem, enabling application-level endpoint denial of service via exploitation.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

NVD Description

In the CGI gem before 0.4.2 for Ruby, the CGI::Cookie.parse method in the CGI library contains a potential Denial of Service (DoS) vulnerability. The method does not impose any limit on the length of the raw cookie value it processes.…

This oversight can lead to excessive resource consumption when parsing extremely large cookies.

Deeper analysisAI

CVE-2025-27219 is a Denial of Service (DoS) vulnerability in the CGI gem for Ruby versions before 0.4.2. Specifically, the CGI::Cookie.parse method in the CGI library fails to impose limits on the length of raw cookie values during parsing, allowing excessive resource consumption when processing extremely large cookies. This issue is cataloged under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers with network access to a vulnerable Ruby application using the affected CGI gem. By sending HTTP requests containing oversized cookie values, an attacker can trigger high CPU or memory usage during parsing, leading to degraded performance or temporary service denial on the target system. No user interaction is required, and the low attack complexity makes it feasible for remote exploitation.

Advisories recommend upgrading to CGI gem version 0.4.2 or later to mitigate the issue, as documented in the ruby-advisory-db entry (https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml), the originating HackerOne report (https://hackerone.com/reports/2936778), and Debian LTS announcements (https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html).