Merge pull request #23605 from kbrock/CVE-2025-59830

Fryguy · web-flow · commit 8694efe357ce · 2025-09-30T15:55:55.000-04:00
Rack 2.2.8 upgrade for CVE-2025-59830
diff --git a/Gemfile b/Gemfile
@@ -67,7 +67,7 @@ gem "pg-dsn_parser",                    "~>0.1.1",           :require => false
 gem "prism",                            ">=0.25.0",          :require => false # Used by DescendantLoader
 gem "psych",                            ">=3.1",             :require => false # 3.1 safe_load changed positional to kwargs like aliases: true: https://github.com/ruby/psych/commit/4d4439d6d0adfcbd211ea295779315f1baa7dadd
 gem "query_relation",                   "~>0.1.0",           :require => false
-gem "rack",                             ">=2.2.14",          :require => false
+gem "rack",                             ">=2.2.18",          :require => false # CVE-2025-59830 https://github.com/advisories/GHSA-625h-95r8-8xpm
 gem "rack-attack",                      "~>6.5.0",           :require => false
 gem "rails",                            "~>7.2.0", ">= 7.2.2.1"
 gem "rails-i18n",                       "~>7.x"
