vulnerability

Red Hat: CVE-2025-49007: rack: rubygem-rack: Rack Content-Disposition Denial of Service

Name: Red Hat: CVE-2025-49007: rack: rubygem-rack: Rack Content-Disposition Denial of Service
Creator: Red Hat
Published: 2025-06-04T00:00:00.000Z
Keywords: CVE, Red Hat, 2025, 49007, rack, no-fix-redhat-rpm-package, Severity 8

Try Surface Command

Back to search

Severity

CVSS

(AV:N/AC:L/Au:N/C:N/I:N/A:C)

Published

Jun 4, 2025

Added

Jul 9, 2025

Modified

Jul 10, 2025

Description

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

Solution

no-fix-redhat-rpm-package

References

NVD-CVE-2025-49007

Rapid7 Labs

2026 Global Threat Landscape Report

The predictive window has collapsed. Exploitation follows disclosure in days. See how attackers are accelerating and how to stay ahead.

Get report