Rack, a Ruby web server interface, contains an issue in its multipart parsing logic from version 3.2.0 through 3.2.5. The parser fails to remove folded line breaks (obs-fold) when unfolding multipart headers, causing the CRLF characters to remain embedded in parsed values such as filename or name. If these parsed values are later used in HTTP response headers, an attacker can inject arbitrary headers or split the response. This vulnerability is classified as a header injection weakness (CWE‑93) and can potentially lead to response splitting, redirection, or other injection-based attacks. The impact is limited to the attacker's ability to influence HTTP response headers, which may affect confidentiality, integrity, or availability of the application but does not grant arbitrary code execution.

The affected product is Rack, a modular Ruby web server interface, specifically versions 3.2.0 up to, but not including, 3.2.6. Versions prior to 3.2.0 are not affected, and the issue was fixed in 3.2.6. Users running any of the affected releases should verify which RC they are using and plan an update accordingly.

The CVSS score is 4.8, indicating moderate severity. No EPSS score is available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a crafted multipart HTTP request containing folded header lines; the attacker must be able to submit such a request to the target application. The requirement to exploit the flaw is low to moderate, making it potentially exploitable in uncontrolled or poorly validated environments, but it does not provide privilege escalation beyond the application's current context.