Source: ruby-rack Version: 3.1.12-1 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby-rack. CVE-2025-49007[0]: | Rack is a modular Ruby web server interface. Starting in version | 3.1.0 and prior to version 3.1.16, there is a denial of service | vulnerability in the Content-Disposition parsing component of Rack. | This is very similar to the previous security issue CVE-2022-44571. | Carefully crafted input can cause Content-Disposition header parsing | in Rack to take an unexpected amount of time, possibly resulting in | a denial of service attack vector. This header is used typically | used in multipart parsing. Any applications that parse multipart | posts using Rack (virtually all Rails applications) are impacted. | Version 3.1.16 contains a patch for the vulnerability. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-49007 https://www.cve.org/CVERecord?id=CVE-2025-49007 [1] https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw [2] https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901 Regards, Salvatore
