Bug 2370346 (CVE-2025-49007) - CVE-2025-49007 rack: rubygem-rack: Rack Content-Disposition Denial of Service
Summary: CVE-2025-49007 rack: rubygem-rack: Rack Content-Disposition Denial of Service
Keywords:
Status: NEW
Alias: CVE-2025-49007
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
high
high
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2370398 2370399 2370400 2370401
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-06-04 23:01 UTC by OSIDB Bzimport
Modified: 2025-06-05 13:53 UTC (History)
26 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)

Description OSIDB Bzimport 2025-06-04 23:01:03 UTC 
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.
Note You need to log in before you can comment on or make changes to this bug.