Skip to main content

Inefficient Regular Expression Complexity


Severity High
Score 7.5/10


There is a denial of service vulnerability in the "Content-Disposition" parsingcomponent of Rack versions 2.0.x prior to, 2.1.x prior to, 2.2.x prior to, and 3.0.0.x prior to This could allow an attacker to craft an input that can cause "Content-Disposition" header parsing in Rack to take an unexpected amount of time, possibly resulting in a Denial of Service attack vector. This header is typically used in multipartparsing. Any applications that parse multipart posts using Rack (virtuallyall Rails applications) are impacted.

  • LOW
  • NONE
  • NONE
  • NONE
  • NONE
  • HIGH

CWE-1333 - Inefficient Regular Expression Complexity

The product uses a regular expression with an inefficient, possibly exponential worst-case computational complexity that consumes excessive CPU cycles.


Advisory Timeline

  • Published