Platform
ruby
Component
rack
Fixed in
2.2.12
3.0.1
3.1.1
2.2.11
CVE-2025-25184 describes a log injection vulnerability within the Ruby Rack framework. This flaw allows attackers to inject arbitrary content into server logs by manipulating usernames containing newline characters. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.11.
An attacker can exploit this vulnerability by crafting a username containing CRLF (carriage return, line feed) sequences during authentication, specifically when using Rack::Auth::Basic. The Rack::CommonLogger component then incorporates this malicious username directly into log entries. This can lead to log pollution, potentially allowing attackers to inject commands or other harmful data into the logs. While direct code execution is unlikely, the injected data could be used for reconnaissance, obfuscation of malicious activity, or to trigger alerts based on false positives. The blast radius is limited to the server's logging infrastructure, but the impact can be significant if logs are used for auditing or security monitoring.
This vulnerability was publicly disclosed on February 12, 2025. There is a publicly available proof-of-concept demonstrating the log injection technique. The vulnerability's severity is rated as medium. It is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns at this time.
Exploit Status
EPSS
1.07% (78% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-25184 is to upgrade to Rack version 2.2.11 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the username field to sanitize CRLF sequences before they are passed to Rack::CommonLogger. Web application firewalls (WAFs) configured to detect and block suspicious characters in usernames could also provide a temporary layer of protection. Review server logs for any unusual or unexpected entries that might indicate exploitation.
Update the Rack gem to version 3.1.10 or higher. This will resolve the log injection vulnerability. Run `gem update rack` to update to the latest secure version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-25184 is a medium severity vulnerability in Ruby Rack versions 2.2.9 and earlier that allows attackers to inject malicious content into server logs by manipulating usernames with CRLF sequences.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Ruby Rack version 2.2.11 or later to resolve the vulnerability. As a temporary workaround, sanitize usernames to remove CRLF sequences.
There are no confirmed reports of active exploitation at this time, but a proof-of-concept is publicly available.
Refer to the Ruby Rack project's official website and security advisories for the latest information: https://rack.rubyforge.org/
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.