Platform
ruby
Component
rack
Opgelost in
2.2.15
2.2.14
CVE-2025-32441 describes a session hijacking vulnerability within the Rack session middleware, specifically the Rack::Session::Pool component. This flaw allows an unauthenticated user to potentially occupy a deleted rack session due to race conditions in concurrent request handling. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.14.
The core of the vulnerability lies in how Rack session middleware manages session restoration. When a rack request is processed, the session is prepared and then saved back to the store. This process is susceptible to race conditions when multiple requests occur simultaneously. An attacker could exploit this by rapidly deleting and then requesting a session, potentially restoring a previously deleted session and gaining unauthorized access. This effectively allows session hijacking, granting the attacker access to the hijacked session's data and functionality. The blast radius is limited to the scope of the hijacked session, but the impact can be significant depending on the session's privileges.
CVE-2025-32441 was publicly disclosed on 2025-05-08. There is no indication of active exploitation campaigns at this time. The vulnerability is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not yet widely available, but the vulnerability's nature suggests that development of such exploits is likely.
Applications built using Ruby on Rails or other frameworks that rely on Rack for session management are at risk. Specifically, applications using older versions of Rack (2.2.9 and earlier) are vulnerable. Shared hosting environments where multiple applications share the same Rack installation are also at increased risk, as a vulnerability in one application could potentially impact others.
• ruby / server:
grep -r 'Rack::Session::Pool' /path/to/your/app/config.ru• ruby / server:
bundle audit --gem rack• generic web: Check application logs for unusual session activity or errors related to session restoration. • ruby / server: Review application code for any custom session management logic that might interact with Rack's session middleware.
disclosure
Exploit Status
EPSS
0.10% (27% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation for CVE-2025-32441 is to upgrade to Rack version 2.2.14 or later, which addresses the race condition in session restoration. If an immediate upgrade is not feasible, consider implementing temporary workarounds such as increasing the session timeout to reduce the window of opportunity for session deletion and re-request. Web application firewalls (WAFs) configured to detect and block suspicious session manipulation attempts can also provide an additional layer of defense. After upgrading, confirm the fix by simulating concurrent requests and verifying that session restoration behaves as expected.
Actualice la gema `rack` a la versión 2.2.14 o superior. Alternativamente, implemente una invalidación atómica de sesiones marcándolas como cerradas en lugar de eliminarlas, o implemente un almacenamiento de sesión personalizado que rastree los timestamps de invalidación.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2025-32441 is a medium severity vulnerability affecting Rack versions 2.2.9 and earlier. It allows an attacker to potentially hijack a session due to a race condition when restoring deleted sessions.
If you are using Rack version 2.2.9 or earlier, you are potentially affected by this vulnerability. Upgrade to version 2.2.14 or later to mitigate the risk.
The recommended fix is to upgrade to Rack version 2.2.14 or later. If an immediate upgrade is not possible, consider temporary workarounds like increasing session timeouts.
There is currently no public evidence of active exploitation, but the vulnerability's nature suggests that exploits may be developed in the future.
Refer to the official Rack project's security advisories and release notes for detailed information: https://github.com/rack/rack/security/advisories
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.