Platform
ruby
Component
rack
Fixed in
2.2.13
3.0.1
3.1.1
2.2.12
CVE-2025-27111 describes a log injection vulnerability within the Ruby Rack framework. This flaw allows attackers to manipulate log entries by injecting escape sequences into the X-Sendfile-Type header, potentially obscuring malicious activity and hindering security investigations. The vulnerability affects Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.12.
The primary impact of CVE-2025-27111 is the ability to distort log files. By injecting newline characters or other escape sequences into the X-Sendfile-Type header, an attacker can alter the content of Rack's log entries. This can be used to hide the attacker's actions, making it more difficult to detect and respond to security incidents. The vulnerability's impact extends beyond simple log modification; it can actively impede security auditing and forensic analysis, allowing attackers to operate with greater stealth. The ability to manipulate logs represents a significant compromise in visibility and control over the application's security posture.
CVE-2025-27111 was publicly disclosed on March 4, 2025. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) exploits have been released. The vulnerability is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.43% (62% percentile)
CISA SSVC
The recommended mitigation for CVE-2025-27111 is to upgrade to Rack version 2.2.12 or later, which includes a fix for the vulnerability. If upgrading is not immediately feasible, consider removing the usage of Rack::Sendfile entirely from your application. This will prevent the vulnerable header from being processed. As a temporary workaround, input validation on the X-Sendfile-Type header could be implemented to sanitize potentially malicious characters, but this is not a substitute for upgrading. After upgrading, confirm the fix by sending a request with a crafted X-Sendfile-Type header containing newline characters and verifying that the log entry does not contain the injected characters.
Update the Rack gem to version 2.2.12, 3.0.13, or 3.1.11, or higher. This can be done by running `gem update rack` on the command line. Ensure that your Gemfile reflects the updated version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27111 is a log injection vulnerability in Ruby Rack versions 2.2.9 and earlier, allowing attackers to manipulate log entries by injecting escape sequences into the X-Sendfile-Type header.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Upgrade to 2.2.12 or remove Rack::Sendfile to mitigate.
Upgrade to Ruby Rack version 2.2.12 or later. Alternatively, remove the usage of Rack::Sendfile from your application.
There is currently no indication of active exploitation campaigns targeting CVE-2025-27111.
Refer to the official Ruby Rack project website and security advisories for the latest information on CVE-2025-27111.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.