Ruby RACK < 2.2.14 / 3.0.16 / 3.1.14 DoS vulnerability in Gitlab 18.2.1

Everyone can contribute. Help move this issue forward while earning points, leveling up and collecting rewards.

Close this issue

Running on RHEL 8 in FIPS mode, just upgraded gitlab-fips to 18.2.1. Nessus RHEL 8 scan post upgrade shows the following high vulnerability on Ruby RACK, CVE-2025-46727:

Ruby RACK < 2.2.14 / 3.0.16 / 3.1.14 DoS vulnerability
Description
The version of the RACK Ruby library installed on the remote host is prior to 2.2.14 / 3.0.16 / 3.1.14 . It is, therefore, affected by a DoS vulnerability where an attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.
Solution
Upgrade to RACK version 2.2.14 / 3.0.16 / 3.1.14 or later.
See Also
https://github.com/ruby/rexml/security/advisories/GHSA-2rxp-v6pw-ch6m

Output

  Path              : /opt/gitlab/embedded/lib/ruby/gems/3.2.0/specifications//rack-2.2.9.gemspec
  Installed version : 2.2.9
  Fixed version     : 2.2.14

It appears there are two versions rack embedded in Gitlab: where 2.2.9 has the vulnerability and 2.2.17 does not. Do we need both versions?

Is there a workaround/fix for this? I had hoped upgrading to 18.2.1 would address this, what version will it be addressed in?

Edited Aug 25, 2025 by 🤖 GitLab Bot 🤖