CVE Tools
Sign in

CVE-2025-49007

ReDoS Vulnerability in Rack::Multipart handle_mime_head

Published: Jun 4, 2025Updated: Oct 10, 2025 Sources: CVE List NVD GHSA BDUCWE-770
NVD MITRE
5.3CVSSMEDIUM
EPSS Score
0.5%
Top 62.3%
CISA KEV
Not in KEV
Exploits
1 Known
Remediation
Patch Available

Description

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:NI:NA:L
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:NConfidentiality
None
I:NIntegrity
None
A:LAvailability
Low
Open in CVSS calculator →

Weaknesses

CWE-770CWE-1333

Affected Products

rackrack
Library
OSS Libraries / web-framework
rackRubyGemsOSS Libraries
Astra Linux Special EditionООО «РусБИТех-Астра»
On-premOS
Operating Systems / linux-distro
RackLeah Neukirchen
Library
OSS Libraries / rubygems
rackoss-projectOSS Libraries
rubygemspackage-ecosystemOSS Libraries
ооо «русбитех-астра»commercialRUOperating Systemsaka rusbitech-astra
leah neukirchenindividual-devOSS Libraries

Attack Graph

Products CVE Techniques Tactics

Click technique nodes to view MITRE ATT&CK details. Scroll to zoom, drag to pan.

Exploitability

1 exploit source identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available

MITRE ATT&CK

1 technique
Impact
View detailed technique mapping

References

https://github.com/rack/rack/security/advisories/GHSA-47m2-26rw-j2jw
github.com
https://github.com/rack/rack/commit/4795831a0a310c2d31102749e551b38faab6401f
github.com
https://github.com/rack/rack/commit/aed514df37e33907df3c971ed3ca9a0a20ac2901
github.com
and 9 more references View all →

Timeline

Published
Jun 4, 2025
Last Updated
Oct 10, 2025

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2025-49007 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows