-
-
Notifications
You must be signed in to change notification settings - Fork 233
Expand file tree
/
Copy pathCVE-2025-32441.yml
More file actions
58 lines (49 loc) · 2.33 KB
/
CVE-2025-32441.yml
File metadata and controls
58 lines (49 loc) · 2.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
gem: rack
cve: 2025-32441
ghsa: vpfw-47h7-xj4g
url: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
title: Rack session gets restored after deletion
date: 2025-05-08
description: |
### Summary
When using the `Rack::Session::Pool` middleware, simultaneous rack
requests can restore a deleted rack session, which allows the
unauthenticated user to occupy that session.
### Details
[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270)
prepares the session at the beginning of request, then saves is back
to the store with possible changes applied by host rack application.
This way the session becomes to be a subject of race conditions in
general sense over concurrent rack requests.
### Impact
When using the `Rack::Session::Pool` middleware, and provided the
attacker can acquire a session cookie (already a major issue), the
session may be restored if the attacker can trigger a long running
request (within that same session) adjacent to the user logging out,
in order to retain illicit access even after a user has attempted to logout.
## Mitigation
- Update to the latest version of `rack`, or
- Ensure your application invalidates sessions atomically by marking
them as logged out e.g., using a `logged_out` flag, instead of
deleting them, and check this flag on every request to prevent reuse, or
- Implement a custom session store that tracks session invalidation
timestamps and refuses to accept session data if the session was
invalidated after the request began.
### Related
As this code was moved to `rack-session` in Rack 3+, see
<https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj>
for the equivalent advisory in `rack-session` (affecting Rack 3+ only).
cvss_v3: 4.2
patched_versions:
- ">= 2.2.14"
related:
ghsa:
- 9j94-67jr-4cqj
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-32441
- https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
- https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d
- https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270
- https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
- https://github.com/advisories/GHSA-vpfw-47h7-xj4g