Plataforma
ruby
Componente
rack
Corrigido em
2.2.12
3.0.1
3.1.1
2.2.11
CVE-2025-25184 describes a log injection vulnerability within the Ruby Rack framework. This flaw allows attackers to inject arbitrary content into server logs by manipulating usernames containing newline characters. The vulnerability impacts Rack versions 2.2.9 and earlier, and a fix is available in version 2.2.11.
An attacker can exploit this vulnerability by crafting a username containing CRLF (carriage return, line feed) sequences during authentication, specifically when using Rack::Auth::Basic. The Rack::CommonLogger component then incorporates this malicious username directly into log entries. This can lead to log pollution, potentially allowing attackers to inject commands or other harmful data into the logs. While direct code execution is unlikely, the injected data could be used for reconnaissance, obfuscation of malicious activity, or to trigger alerts based on false positives. The blast radius is limited to the server's logging infrastructure, but the impact can be significant if logs are used for auditing or security monitoring.
This vulnerability was publicly disclosed on February 12, 2025. There is a publicly available proof-of-concept demonstrating the log injection technique. The vulnerability's severity is rated as medium. It is not currently listed on the CISA KEV catalog, and there are no reports of active exploitation campaigns at this time.
Applications using Rack for authentication, particularly those relying on Rack::Auth::Basic for user authentication, are at risk. Systems with legacy configurations that allow usernames containing unusual characters are also more vulnerable. Shared hosting environments where multiple applications share the same Rack instance should be carefully assessed.
• ruby / server:
grep -r '\r\n' /var/log/your_app/*.log• ruby / server:
journalctl -u your_app | grep -i '\r\n'• generic web: curl -I 'http://your-app.com/?username=test%0D%0A%0Aattack' | grep 'REMOTE_USER'
disclosure
Status do Exploit
EPSS
1.07% (percentil 78%)
CISA SSVC
Vetor CVSS
The primary mitigation for CVE-2025-25184 is to upgrade to Rack version 2.2.11 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing input validation on the username field to sanitize CRLF sequences before they are passed to Rack::CommonLogger. Web application firewalls (WAFs) configured to detect and block suspicious characters in usernames could also provide a temporary layer of protection. Review server logs for any unusual or unexpected entries that might indicate exploitation.
Actualice la gema Rack a la versión 3.1.10 o superior. Esto solucionará la vulnerabilidad de inyección de logs. Ejecute `gem update rack` para actualizar a la última versión segura.
Análise de vulnerabilidades e alertas críticos diretamente no seu e-mail.
CVE-2025-25184 is a medium severity vulnerability in Ruby Rack versions 2.2.9 and earlier that allows attackers to inject malicious content into server logs by manipulating usernames with CRLF sequences.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Ruby Rack version 2.2.11 or later to resolve the vulnerability. As a temporary workaround, sanitize usernames to remove CRLF sequences.
There are no confirmed reports of active exploitation at this time, but a proof-of-concept is publicly available.
Refer to the Ruby Rack project's official website and security advisories for the latest information: https://rack.rubyforge.org/
Envie seu arquivo de dependências e descubra na hora se esta e outras CVEs te atingem.
Envie seu arquivo Gemfile.lock e descubra na hora se você está afetado.