Cyber Posture

CVE-2025-27220

Medium

Published: 04 March 2025

Published
04 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score 4.0 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L
EPSS Score 0.0025 47.8th percentile
Risk Priority 8 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27220 is a medium-severity Inefficient Regular Expression Complexity (CWE-1333) vulnerability in Ruby-Lang Cgi. Its CVSS base score is 4.0 (Medium).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application Exhaustion Flood (T1499.003); ranked at the 47.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-2 (Flaw Remediation) and SC-5 (Denial-of-service Protection).

Threat & Defense at a Glance

What attackers do: exploitation maps to Application Exhaustion Flood (T1499.003). AI-specific risk: MITRE ATLAS External Harms (AML.T0048). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Timely flaw remediation directly addresses the ReDoS vulnerability by requiring upgrade of the vulnerable CGI gem to version 0.4.2 or later.

SI-10 Information Input Validation partial match
prevent

Information input validation on inputs to the Util#escapeElement method restricts malicious regular expressions that trigger excessive resource consumption.

SC-5 Denial-of-service Protection partial match
prevent

Denial-of-service protections at network and application boundaries mitigate the availability disruption from ReDoS-induced resource exhaustion.

MITRE ATT&CK Enterprise TechniquesAI

T1499.003 Application Exhaustion Flood Impact
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
attack.mitre.org →
Why these techniques?

ReDoS vulnerability in CGI gem's Util#escapeElement enables resource exhaustion (CPU) via malicious regex input, facilitating Application Exhaustion Flood.

MITRE ATLAS TechniquesAI

MITRE ATLAS techniques

AML.T0048: External Harms

NVD Description

In the CGI gem before 0.4.2 for Ruby, a Regular Expression Denial of Service (ReDoS) vulnerability exists in the Util#escapeElement method.

Deeper analysisAI

CVE-2025-27220 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Util#escapeElement method of the CGI gem for Ruby, affecting versions before 0.4.2. Published on 2025-03-04, it is classified under CWE-1333 and carries a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L).

Remote attackers require no privileges or user interaction to exploit this over the network, though the attack demands high complexity. Exploitation triggers excessive resource consumption via malicious regular expression input, resulting in low-impact availability disruption with a changed scope.

Advisories recommend upgrading the CGI gem to version 0.4.2 or later for mitigation. Key references include the Ruby Advisory Database entry at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml, a HackerOne disclosure report at https://hackerone.com/reports/2890322, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html.

Details

CWE(s)
CWE-1333

Affected Products

ruby-lang
cgi
0.3.6 · ≤ 0.3.5.1 · 0.4.0 — 0.4.2

CVEs Like This One

CVE-2025-27219Same product: Ruby-Lang Cgi
CVE-2026-34939Shared CWE-1333
CVE-2026-26996Shared CWE-1333
CVE-2025-27788Same vendor: Ruby-Lang
CVE-2026-33210Same vendor: Ruby-Lang
CVE-2026-21868Shared CWE-1333
CVE-2025-70030Shared CWE-1333
CVE-2025-62484Shared CWE-1333
CVE-2026-28356Shared CWE-1333
CVE-2026-22178Shared CWE-1333

References