Cyber Resilience

CVE-2025-27220

Medium

Published: 04 March 2025

Published
04 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0025 48.2th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27220 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ruby-Lang Cgi. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Deeper analysis

CVE-2025-27220 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Util#escapeElement method of the CGI gem for Ruby, affecting versions before 0.4.2. Published on 2025-03-04, it is classified under CWE-1333 and carries a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L).

Remote attackers require no privileges or user interaction to exploit this over the network, though the attack demands high complexity. Exploitation triggers excessive resource consumption via malicious regular expression input, resulting in low-impact availability disruption with a changed scope.

Advisories recommend upgrading the CGI gem to version 0.4.2 or later for mitigation. Key references include the Ruby Advisory Database entry at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml, a HackerOne disclosure report at https://hackerone.com/reports/2890322, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html.

EU & UK References

Vulnerability details

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Why these techniques?

ReDoS vulnerability in CGI gem's Util#escapeElement enables resource exhaustion (CPU) via malicious regex input, facilitating Application Exhaustion Flood.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

CVEs Like This One

CVE-2026-46727Same product: Ruby-Lang Ruby
CVE-2025-27219Same product: Ruby-Lang Cgi
CVE-2026-34939Shared CWE-1333
CVE-2026-26996Shared CWE-1333
CVE-2026-33210Same vendor: Ruby-Lang
CVE-2026-42258Same vendor: Ruby-Lang
CVE-2025-27788Same vendor: Ruby-Lang
CVE-2026-9496Shared CWE-1333
CVE-2024-46242Shared CWE-1333
CVE-2025-70030Shared CWE-1333

Affected Assets

ruby-lang
cgi
0.3.6 · ≤ 0.3.5.1 · 0.4.0 — 0.4.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Timely flaw remediation directly addresses the ReDoS vulnerability by requiring upgrade of the vulnerable CGI gem to version 0.4.2 or later.

prevent

Information input validation on inputs to the Util#escapeElement method restricts malicious regular expressions that trigger excessive resource consumption.

prevent

Denial-of-service protections at network and application boundaries mitigate the availability disruption from ReDoS-induced resource exhaustion.

References