Version 6.0.26 of the Passenger application server has been released. This release fixes a vulnerability where invalid http requests could cause a DOS.

Passenger 6 introduced Generic Language Support, or: the ability to support any and all arbitrary apps.

CVE-2025-26803

The http parser (from Passenger 6.0.21-6.0.25) was susceptible to a denial of service attack when parsing a request with an invalid HTTP method. This has been fixed in Passenger 6.0.26.

Installing 6.0.26

Please see the installation guide for advice on getting started with Passenger. Coming from a language other than Ruby, Python, Meteor or Node? Even if we didn't write a specific tutorial for your language, we made a generic guide that shows you the steps.

Upgrading to 6.0.26

We strongly advise staying up to date with the latest version.

Check out our upgrade guides for the different platforms:

Please be aware that you can enjoy enterprise features and sponsor the open source development directly by buying Phusion Passenger Enterprise.