Key Information Vulnerability Overview Vulnerability Name: Unsafe default in allows params_limit bypass via semicolon-separated parameters. CVE ID: CVE-2025-59830 GHSA ID: GHSA-625h-95r8-8xpm Publisher: iouatix Release Time: 7 hours ago Affected and Fixed Versions Affected Versions: < 2.2.18 Fixed Version: 2.2.18 Severity CVSS v3 Base Metrics: - Attack Vector: Network - Attack Complexity: Low - Required Privileges: None - User Interaction: None - Scope: Unchanged - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High CVSS v3 Score: 7.5 / 10 Weaknesses CWE-400 CWE-770 Description Summary: In versions prior to 2.2.18, enforces only on parameters separated by , but still splits on both and . This allows attackers to bypass the parameter count limit by using as a separator and submit more parameters than intended. Details: The issue arises because counts parameters only based on characters, while the default separator regex splits on both and . This mismatch means query strings using as a separator are not counted toward , enabling bypass. Impact: Applications or middleware that directly invoke may be exposed to increased CPU and memory consumption. This could be exploited as a limited denial-of-service vector. Mitigation Upgrade to the patched Rack version, where both and are consistently counted toward . If immediate upgrade is not possible, configure to use an explicit separator (e.g., ) to avoid the mismatch. As a general preventive measure, enforce query string and request size limits at the web server or proxy layer (e.g., Nginx, Apache, or CDN) to mitigate excessive parsing overhead.