• Bug#1107363: ruby-rack: CVE-2025-49007

    From Salvatore Bonaccorso@21:1/5 to All on Fri Jun 6 14:40:02 2025
    Source: ruby-rack
    Version: 3.1.12-1
    Severity: important
    Tags: security upstream
    X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

    Hi,

    The following vulnerability was published for ruby-rack.

    CVE-2025-49007[0]:
    | Rack is a modular Ruby web server interface. Starting in version
    | 3.1.0 and prior to version 3.1.16, there is a denial of service
    | vulnerability in the Content-Disposition parsing component of Rack.
    | This is very similar to the previous security issue CVE-2022-44571.
    | Carefully crafted input can cause Content-Disposition header parsing
    | in Rack to take an unexpected amount of time, possibly resulting in
    | a denial of service attack vector. This header is used typically
    | used in multipart parsing. Any applications that parse multipart
    | posts using Rack (virtually all Rails applications) are impacted.
    | Version 3.1.16 contains a patch for the vulnerability.


    If you fix the vulnerability please also make sure to include the
    CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

    For further information see:

    [0] https://security-tracker.debian.org/tracker/CVE-2025-49007
    https://www.cve.org/CVERecord?id=CVE-2025-49007
    [1] https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
    [2] https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901

    Regards,
    Salvatore

    --- SoupGate-Win32 v1.05
    * Origin: fsxNet Usenet Gateway (21:1/5)