CVE-2025-49007 — Allocation of Resources Without Limits or Throttling in Rack

CWE-770 — Allocation of Resources Without Limits or Throttling6 documents5 sources

Severity

6.6MEDIUMNVD

GHSA7.5OSV7.5

EPSS

0.6%

top 31.41%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack Debian Ruby-rack

Timeline

PublishedJun 4

Latest updateJun 5

Description

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any ap…

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages3 packages

▶debiandebian/ruby-rack< ruby-rack 3.1.16-0.1 (forky)

▶NVDrack/rack3.1.0 — 3.1.16

▶RubyGemsrack/rack3.1.0 — 3.1.16

Patches

Patch: github.com ↗Patch: github.com ↗

🔴Vulnerability Details

GHSA

ReDoS Vulnerability in Rack::Multipart handle_mime_head↗2025-06-05

▶

OSV

ReDoS Vulnerability in Rack::Multipart handle_mime_head↗2025-06-05

▶

OSV

CVE-2025-49007: Rack is a modular Ruby web server interface↗2025-06-04

▶

📋Vendor Advisories

Red Hat

rack: rubygem-rack: Rack Content-Disposition Denial of Service↗2025-06-04

▶

Debian

CVE-2025-49007: ruby-rack - Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior...↗2025

▶