Platform
ruby
Component
rack
Fixed in
2.2.15
2.2.14
CVE-2025-32441 describes a session hijacking vulnerability within the Rack session middleware, specifically the Rack::Session::Pool component. This flaw allows an unauthenticated user to potentially occupy a deleted rack session due to race conditions in concurrent request handling. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.14.
The core of the vulnerability lies in how Rack session middleware manages session restoration. When a rack request is processed, the session is prepared and then saved back to the store. This process is susceptible to race conditions when multiple requests occur simultaneously. An attacker could exploit this by rapidly deleting and then requesting a session, potentially restoring a previously deleted session and gaining unauthorized access. This effectively allows session hijacking, granting the attacker access to the hijacked session's data and functionality. The blast radius is limited to the scope of the hijacked session, but the impact can be significant depending on the session's privileges.
CVE-2025-32441 was publicly disclosed on 2025-05-08. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests that development of such exploits is likely.
Exploit Status
EPSS
0.10% (27% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-32441 is to upgrade to Rack version 2.2.14 or later, which addresses the race condition in session restoration. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as increasing the session timeout to reduce the window of opportunity for session deletion and re-request. Web application firewalls (WAFs) configured to detect and block suspicious session manipulation attempts can also provide an additional layer of defense. After upgrading, confirm the fix by simulating concurrent requests and verifying that session restoration behaves as expected.
Update the `rack` gem to version 2.2.14 or higher. Alternatively, implement atomic session invalidation by marking them as logged out instead of deleting them, or implement a custom session store that tracks invalidation timestamps.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-32441 is a medium severity vulnerability affecting Rack versions 2.2.9 and earlier. It allows an attacker to potentially hijack a session due to a race condition when restoring deleted sessions.
If you are using Rack version 2.2.9 or earlier, you are potentially affected by this vulnerability. Upgrade to version 2.2.14 or later to mitigate the risk.
The recommended fix is to upgrade to Rack version 2.2.14 or later. If an immediate upgrade is not possible, consider temporary workarounds like increasing session timeouts.
There is currently no public evidence of active exploitation, but the vulnerability's nature suggests that exploits may be developed in the future.
Refer to the official Rack project's security advisories and release notes for detailed information: https://github.com/rack/rack/security/advisories
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.