CVE-2025-27111

Medium CVSS: 6.9

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

Vendor

Rack

Product

Rack

CWE

CWE-93

Yayın Tarihi

2025-03-04 16:15:40

Güncelleme

2025-11-03 22:18:43

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-93 Rack MEDIUM Rack 2025

Referanslar

https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53 https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3 https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html

Benzer Kayıtlar

Medium

CVE-2026-34835

Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack…

Medium

CVE-2026-25500

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an…

High

CVE-2026-22860

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check…

High

CVE-2025-61919

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the…

Medium

CVE-2025-61780

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclos…

High

CVE-2025-61771

Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser`…