CVE-2025-49007
BaseFortify
Publication date: 2025-06-04
Last updated on: 2025-10-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.1.0 (inc) to 3.1.16 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1333 | The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles. |
| CWE-770 | The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a denial of service issue in the Content-Disposition header parsing component of the Rack Ruby web server interface, affecting versions from 3.1.0 up to but not including 3.1.16. Carefully crafted input can cause the parsing process to take an unexpectedly long time, potentially allowing an attacker to cause a denial of service by exhausting server resources. This affects applications that parse multipart posts using Rack, which includes virtually all Rails applications.
How can this vulnerability impact me? :
If your application uses Rack to parse multipart posts, this vulnerability can be exploited to cause a denial of service by making the server spend excessive time parsing specially crafted Content-Disposition headers. This can lead to server unavailability or degraded performance, impacting the reliability and availability of your web application.
What immediate steps should I take to mitigate this vulnerability?
Upgrade Rack to version 3.1.16 or later, as this version contains a patch for the vulnerability.