Inefficient Regular Expression Complexity

Summary

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a Denial-of-Service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a Denial-of-Service attack vector. This header is used typically used in multipart parsing. Applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.