CVE-2025-27220
Published: 04 March 2025
Description
Adversaries may target resource intensive features of applications to cause a denial of service (DoS), denying availability to those applications.
Security Summary
CVE-2025-27220 is a Regular Expression Denial of Service (ReDoS) vulnerability in the Util#escapeElement method of the CGI gem for Ruby, affecting versions before 0.4.2. Published on 2025-03-04, it is classified under CWE-1333 and carries a CVSS v3.1 base score of 4.0 (AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:L).
Remote attackers require no privileges or user interaction to exploit this over the network, though the attack demands high complexity. Exploitation triggers excessive resource consumption via malicious regular expression input, resulting in low-impact availability disruption with a changed scope.
Advisories recommend upgrading the CGI gem to version 0.4.2 or later for mitigation. Key references include the Ruby Advisory Database entry at https://github.com/rubysec/ruby-advisory-db/blob/master/gems/cgi/CVE-2025-27220.yml, a HackerOne disclosure report at https://hackerone.com/reports/2890322, and a Debian LTS announcement at https://lists.debian.org/debian-lts-announce/2025/03/msg00008.html.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
ReDoS vulnerability in CGI gem's Util#escapeElement enables resource exhaustion (CPU) via malicious regex input, facilitating Application Exhaustion Flood.