CVE-2025-49007: 
Ruby vulnerability analysis and mitigation

Rack, a modular Ruby web server interface, contains a denial of service vulnerability (CVE-2025-49007) in its Content-Disposition parsing component. The vulnerability affects versions starting from 3.1.0 and prior to version 3.1.16. This vulnerability is similar to a previous security issue (CVE-2022-44571) and was discovered and reported to the Rails security team by scyoon (GitHub Advisory).

The vulnerability exists in the Content-Disposition parsing component where carefully crafted input can cause the parsing process to take an unexpected amount of time. The issue specifically relates to multipart parsing functionality, where the header parsing mechanism can be exploited to cause processing delays. The vulnerability has been assigned a CVSS v4.0 score of 6.6 MEDIUM with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

The vulnerability can result in a denial of service attack vector through excessive processing time. This affects any applications that parse multipart posts using Rack, which includes virtually all Rails applications. The impact is primarily focused on service availability, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 3.1.16 of Rack. Users are advised to upgrade to this version to mitigate the vulnerability. The fix includes improvements to the multipart regex handling and consistency (GitHub Commit).