CVE-2025-49007 is a denial of service (DoS) vulnerability affecting the Rack Ruby web server interface, specifically in the Content-Disposition header parsing component. Rack versions from 3.1.0 up to but not including 3.1.16 are vulnerable. The issue arises because the parsing logic for the Content-Disposition header, which is commonly used in multipart form data processing (such as file uploads in web applications), does not implement limits or throttling on resource allocation. Carefully crafted malicious input can cause the parser to consume excessive CPU resources or take an unexpectedly long time to process, effectively leading to a denial of service by exhausting server resources. This vulnerability is categorized under CWE-770 (Allocation of Resources Without Limits or Throttling). It is similar to a previous vulnerability, CVE-2022-44571, indicating a recurring issue in the same component. The vulnerability does not require authentication, user interaction, or privileges to exploit, and can be triggered remotely by sending specially crafted HTTP requests to affected applications. Since Rack is a foundational component used by Ruby on Rails applications for HTTP request handling, virtually all Rails applications that parse multipart posts using Rack versions in the vulnerable range are impacted. The vendor has addressed this vulnerability in Rack version 3.1.16, which includes a patch to properly limit resource allocation during Content-Disposition header parsing to prevent excessive processing time. The CVSS v4.0 base score is 6.6 (medium severity), reflecting the network attack vector, lack of required privileges or user interaction, and high impact on availability due to potential denial of service. No known exploits are currently reported in the wild, but the vulnerability's nature makes it a plausible target for attackers aiming to disrupt web services.

For European organizations, the impact of this vulnerability can be significant, especially for those relying on Ruby on Rails applications for critical web services, e-commerce platforms, or internal tools. A successful exploitation can lead to denial of service, causing application downtime, degraded user experience, and potential loss of revenue or reputation. Since the vulnerability affects the parsing of multipart form data, any web endpoint accepting file uploads or multipart POST requests is at risk. This can disrupt business operations, particularly for sectors with high web traffic or those providing essential online services. Additionally, denial of service incidents may trigger regulatory scrutiny under European data protection laws if service availability impacts user data access or processing. The vulnerability's ease of exploitation without authentication increases the risk of automated or large-scale attacks, potentially affecting multiple organizations simultaneously. Although no data confidentiality or integrity impact is indicated, the availability disruption alone can have cascading effects on business continuity and customer trust.

European organizations should prioritize upgrading Rack to version 3.1.16 or later, where the vulnerability is patched. For organizations unable to immediately upgrade, implementing web application firewalls (WAFs) with rules to detect and block suspicious or malformed Content-Disposition headers in multipart requests can provide temporary protection. Rate limiting and request throttling on endpoints handling multipart form data can reduce the risk of resource exhaustion. Monitoring application logs for abnormal request patterns or spikes in CPU usage related to multipart parsing can help detect exploitation attempts early. Developers should review multipart parsing logic to ensure proper input validation and resource management. Additionally, organizations should maintain an inventory of applications using Rack and Ruby on Rails to assess exposure and prioritize remediation. Coordinating with incident response teams to prepare for potential denial of service incidents and establishing communication plans for affected users is also recommended.