CVE-2015-3225

Name: CVE-2015-3225
Creator: NVD / NIST
Published: 2015-07-26T22:59:04.07+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

UnknownEPSS 7.78%

Last modified Jun 17, 2026

CVE-2015-3225 is a vulnerability of currently unknown severity. lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.. EPSS estimates a 7.78% chance of exploitation in the next 30 days.

Description

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth.

Metrics

EPSS Probability

7.78%

93.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-19

Affected Software

Vendor	Product	Versions
Rack Project	Rack	<= 1.5.3
Rack Project	Rack	1.6.0
Rack Project	Rack	1.6.1
Opensuse	Opensuse	13.1
Opensuse	Opensuse	13.2
Debian	Debian Linux	7.0
Debian	Debian Linux	8.0

References

http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.html
http://lists.opensuse.org/opensuse-updates/2015-07/msg00040.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-07/msg00043.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-07/msg00044.htmlThird Party Advisory
http://openwall.com/lists/oss-security/2015/06/16/14Mailing List, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-2290.html
http://www.debian.org/security/2015/dsa-3322
http://www.securityfocus.com/bid/75232
https://github.com/rack/rack/blob/master/HISTORY.mdIssue Tracking, Patch, Vendor Advisory
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJMailing List, Third Party Advisory
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/164173.html
http://lists.fedoraproject.org/pipermail/package-announce/2015-August/165180.html
http://lists.opensuse.org/opensuse-updates/2015-07/msg00040.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-07/msg00043.htmlThird Party Advisory
http://lists.opensuse.org/opensuse-updates/2015-07/msg00044.htmlThird Party Advisory
http://openwall.com/lists/oss-security/2015/06/16/14Mailing List, Third Party Advisory
http://rhn.redhat.com/errata/RHSA-2015-2290.html
http://www.debian.org/security/2015/dsa-3322
http://www.securityfocus.com/bid/75232
https://github.com/rack/rack/blob/master/HISTORY.mdIssue Tracking, Patch, Vendor Advisory
https://groups.google.com/forum/message/raw?msg=rubyonrails-security/gcUbICUmKMc/qiCotVZwXrMJMailing List, Third Party Advisory

Timeline

Published: Jul 26, 2015
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2015-3225?

How severe is CVE-2015-3225?

Severity scoring for CVE-2015-3225 is pending analysis. The EPSS model estimates a 7.78% probability of exploitation in the next 30 days.

How do I fix CVE-2015-3225?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2015-3225?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST