Source: ruby-rack
Version: 3.1.12-1
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>

Hi,

The following vulnerability was published for ruby-rack.

CVE-2025-49007[0]:
| Rack is a modular Ruby web server interface. Starting in version
| 3.1.0 and prior to version 3.1.16, there is a denial of service
| vulnerability in the Content-Disposition parsing component of Rack.
| This is very similar to the previous security issue CVE-2022-44571.
| Carefully crafted input can cause Content-Disposition header parsing
| in Rack to take an unexpected amount of time, possibly resulting in
| a denial of service attack vector. This header is used typically
| used in multipart parsing. Any applications that parse multipart
| posts using Rack (virtually all Rails applications) are impacted.
| Version 3.1.16 contains a patch for the vulnerability.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-49007
https://www.cve.org/CVERecord?id=CVE-2025-49007
[1] https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
[2] https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901

Regards,
Salvatore

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)