Merge pull request #23612 from kbrock/CVE-2025-61772

Fryguy · web-flow · commit 7a92ea87d311 · 2025-10-08T13:05:05.000-04:00
Update rack for CVE-2025-61772
diff --git a/Gemfile b/Gemfile
@@ -67,7 +67,7 @@ gem "pg-dsn_parser",                    "~>0.1.1",           :require => false
 gem "prism",                            ">=0.25.0",          :require => false # Used by DescendantLoader
 gem "psych",                            ">=3.1",             :require => false # 3.1 safe_load changed positional to kwargs like aliases: true: https://github.com/ruby/psych/commit/4d4439d6d0adfcbd211ea295779315f1baa7dadd
 gem "query_relation",                   "~>0.1.0",           :require => false
-gem "rack",                             ">=2.2.18",          :require => false # CVE-2025-59830 https://github.com/advisories/GHSA-625h-95r8-8xpm
+gem "rack",                             ">=2.2.19",          :require => false # CVE-2025-61772 https://github.com/rack/rack/security/advisories/GHSA-wpv5-97wm-hp9c
 gem "rack-attack",                      "~>6.5.0",           :require => false
 gem "rails",                            "~>7.2.0", ">= 7.2.2.1"
 gem "rails-i18n",                       "~>7.x"
