CVE-2025-49007 SUSE CVE security@suse.de SUSE Security Team SUSE CVE-2025-49007 Interim 1 2 2025-07-12T06:35:07Z current 2025-06-05T23:12:49Z 2025-07-12T06:35:07Z cve-database/bin/generate-cvrf-cve.pl 2020-12-27T01:00:00Z CVE-2025-49007 Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability. The CVRF data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0). https://www.suse.com/support/security/rating/ SUSE Security Ratings SUSE Linux Enterprise High Availability Extension 15 SP3 SUSE Linux Enterprise High Availability Extension 15 SP4 SUSE Linux Enterprise High Availability Extension 15 SP5 SUSE Linux Enterprise High Availability Extension 15 SP6 SUSE Linux Enterprise High Availability Extension 15 SP7 openSUSE Leap 15.6 ruby2.5-rubygem-rack ruby2.5-rubygem-rack-doc ruby2.5-rubygem-rack-testsuite rubygem-rack ruby2.5-rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP3 rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP3 ruby2.5-rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP4 rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP4 ruby2.5-rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP5 rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP5 ruby2.5-rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP6 rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP6 ruby2.5-rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP7 rubygem-rack as a component of SUSE Linux Enterprise High Availability Extension 15 SP7 ruby2.5-rubygem-rack as a component of openSUSE Leap 15.6 ruby2.5-rubygem-rack-doc as a component of openSUSE Leap 15.6 ruby2.5-rubygem-rack-testsuite as a component of openSUSE Leap 15.6 rubygem-rack as a component of openSUSE Leap 15.6 Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability. CVE-2025-49007 SUSE Linux Enterprise High Availability Extension 15 SP3:ruby2.5-rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP3:rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP4:ruby2.5-rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP4:rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP5:ruby2.5-rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP5:rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP6:ruby2.5-rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP6:rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP7:ruby2.5-rubygem-rack SUSE Linux Enterprise High Availability Extension 15 SP7:rubygem-rack openSUSE Leap 15.6:ruby2.5-rubygem-rack openSUSE Leap 15.6:ruby2.5-rubygem-rack-doc openSUSE Leap 15.6:ruby2.5-rubygem-rack-testsuite openSUSE Leap 15.6:rubygem-rack moderate 6.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N