CVE-2025-27219

CVE-2025-27219 is a Denial of Service (DoS) vulnerability in the CGI gem for Ruby versions before 0.4.2. Specifically, the CGI::Cookie.parse method in the CGI library fails to impose limits on the length of raw cookie values during parsing, allowing excessive resource consumption when processing extremely large cookies. This issue is cataloged under CWE-770 (Allocation of Resources Without Limits or Throttling) and carries a CVSS v3.1 base score of 5.8 (AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:N/A:L).

The vulnerability can be exploited remotely by unauthenticated attackers with network access to a vulnerable Ruby application using the affected CGI gem. By sending HTTP requests containing oversized cookie values, an attacker can trigger high CPU or memory usage during parsing, leading to degraded performance or temporary service denial on the target system. No user interaction is required, and the low attack complexity makes it feasible for remote exploitation.

Advisories recommend upgrading to CGI gem version 0.4.2 or later to mitigate the issue, as documented in the ruby-advisory-db entry (https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27219.yml), the originating HackerOne report (https://hackerone.com/reports/2936778), and Debian LTS announcements (https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html).