CVE-2025-27220
Published: 04 March 2025
Summary
CVE-2025-27220 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ruby-Lang Cgi. Its CVSS base score is 4.0 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 48.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).
Deeper analysis
CVE-2025-27220 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Util#escapeElement method of the CGI gem for Ruby, affecting versions before 0.4.2. Published on 2025-03-04, it is classified under CWE-1333 and carries a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L).
Remote attackers require no privileges or user interaction to exploit this over the network, though the attack demands high complexity. Exploitation triggers excessive resource consumption via malicious regular expression input, resulting in low-impact availability disruption with a changed scope.
Advisories recommend upgrading the CGI gem to version 0.4.2 or later for mitigation. Key references include the Ruby Advisory Database entry at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml, a HackerOne disclosure report at https://hackerone.com/reports/2890322, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-5509
Vulnerability details
In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
ReDoS vulnerability in CGI gem's Util#escapeElement enables resource exhaustion (CPU) via malicious regex input, facilitating Application Exhaustion Flood.
MITRE ATLAS TechniquesAI
MITRE ATLAS techniques
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Timely flaw remediation directly addresses the ReDoS vulnerability by requiring upgrade of the vulnerable CGI gem to version 0.4.2 or later.
Information input validation on inputs to the Util#escapeElement method restricts malicious regular expressions that trigger excessive resource consumption.
Denial-of-service protections at network and application boundaries mitigate the availability disruption from ReDoS-induced resource exhaustion.