Denial of Service Vulnerability in Ruby Rack Web Server Interface
CVE-2025-49007

6.6MEDIUM

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
4 June 2025

What is CVE-2025-49007?

A vulnerability in the Content-Disposition parsing component of Rack, a popular modular Ruby web server interface, allows attackers to exploit crafted inputs. This can lead to prolonged parsing times and create potential denial of service conditions for applications relying on Rack. The vulnerability affects all applications that process multipart posts, which encompasses nearly all Ruby on Rails applications using versions prior to 3.1.16. Users are advised to update to version 3.1.16, which includes necessary security patches.

Affected Version(s)

rack >= 3.1.0, < 3.1.16

References

https://github.com/rack/rack/security/advisories/GHSA-47m...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/4795831a0a310c2d31102...
x_refsource_MISC
https://github.com/rack/rack/commit/aed514df37e33907df3c9...
x_refsource_MISC

CVSS V4

Score:
6.6
Severity:
MEDIUM
Confidentiality:
None
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.