By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-49007

Regular Expression Denial of Service
Affects
Rack
in
Rails
No items found.
Versions
>=3.1.0 <3.1.16
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Rack is a modular Ruby web server interface.

A Regular expression Denial of Service (ReDoS) vulnerability (CVE-2025-49007) has been identified in Rack, which allows attackers to monopolize resources when parsing the Content-Disposition header, effectively causing a denial of service of the application. This is very similar to the previous security issue CVE-2022-44571.

Per OWASP: The Regular expression Denial of Service (ReDoS) is a Denial of Service attack that exploits the fact that most Regular Expression implementations may reach extreme situations that cause them to work very slowly (exponentially related to input size). An attacker can then cause a program using a Regular Expression (Regex) to enter these extreme situations and then hang for a very long time.

This affects Rack versions greater than or equal to 3.1.0 and less than 3.1.16.

Details

Module Info

Vulnerability Info

This Medium-severity vulnerability is found in the rack module in versions greater than or equal to 3.1.0 and less than 3.1.16.

A carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.

Mitigation

OSS Users

Upgrade to Rack version 3.1.16 where the issue is fixed. If an upgrade is not possible, consider using a commercial support partner like HeroDevs for post EOL support.

NES Customers

Upgrade to Rack versions 1.4.7.24, 1.6.13.22 or 2.2.17.10 where the issue is fixed.

For customers making use of Rails v5 or v6 - you will also need to update your version of Rails to 5.2.8.32 or 6.1.7.28 respectively to accommodate the Rack version bump.

Credits

scyoon (finder)

Pink arrow
Pink arrow
CVE-2012-2695
CVE-2013-0156
CVE-2013-0277
CVE-2014-3483
CVE-2015-7581
CVE-2016-2098
CVE-2019-5418
CVE-2019-5420
CVE-2019-5418
CVE-2020-8159
CVE-2020-8165
CVE-2020-8162
CVE-2020-8163
CVE-2020-8161
CVE-2022-21831
CVE-2022-30123
CVE-2023-22794
CVE-2024-26142
CVE-2014-3482
CVE-2025-25184
CVE-2025-27111
CVE-2025-49007
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-49007
PROJECT Affected
Rack
Versions Affected
>=3.1.0 <3.1.16
Published date
June 26, 2025
≈ Fix date
June 6, 2025
Fixed in
Ruby on Rails NES
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
Category
Regular Expression Denial of Service
Sign up for the latest vulnerability alerts fixed in
Ruby on Rails NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.