PT-2025-23867 · Rack · Rack

Tenderlove

Published

2025-06-04

Updated

2025-12-29

CVE-2025-49007

CVSS v2.0

7.8

High

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:C

Name of the Vulnerable Software and Affected Versions Rack versions 3.1.0 through 3.1.15

Description The issue is a denial of service vulnerability in the Content-Disposition parsing component of Rack. It can be triggered by carefully crafted input, causing the Content-Disposition header parsing to take an unexpected amount of time, which may result in a denial of service attack. This vulnerability affects applications that parse multipart posts using Rack, including virtually all Rails applications.

Recommendations For Rack versions 3.1.0 through 3.1.15, update to version 3.1.16, which contains a patch for the vulnerability.

Exploit

Fix

DoS

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-770CWE-1333

Related Identifiers

BDU:2025-12287

CVE-2025-49007

ECHO-192D-891B-072B

GHSA-47M2-26RW-J2JW

MGASA-2025-0334

Affected Products

Rack

PT-2025-23867 · Rack · Rack

CVE-2025-49007

Weakness Enumeration

Related Identifiers

Affected Products

References · 24