CVE-2025-49007: 
Ruby vulnerability analysis and mitigation

Rack, a modular Ruby web server interface, contains a denial of service vulnerability (CVE-2025-49007) in its Content-Disposition parsing component. The vulnerability affects versions starting from 3.1.0 and prior to version 3.1.16. This vulnerability was discovered by scyoon and reported to the Rails security team (GitHub Advisory).

The vulnerability exists in the Content-Disposition parsing component where carefully crafted input can cause the parsing process to take an unexpected amount of time. The issue specifically relates to multipart parsing functionality, where the header parsing mechanism can be exploited to cause processing delays. The vulnerability has been assigned a CVSS v4.0 score of 6.6 MEDIUM with the vector string CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U (NVD).

The vulnerability can result in a denial of service attack vector through excessive processing time. This affects any applications that parse multipart posts using Rack, which includes virtually all Rails applications. The impact is primarily focused on service availability, with no direct impact on confidentiality or integrity (GitHub Advisory).

The vulnerability has been patched in version 3.1.16 of Rack. Users are advised to upgrade to this version to mitigate the vulnerability. The fix includes improvements to the multipart regex handling and consistency (GitHub Commit).