lib/rack/multipart.rb
in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header.
{ "nvd_published_at": "2013-03-01T05:40:00Z", "cwe_ids": [ "CWE-835" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2020-06-16T21:39:20Z" }