CVE-2025-27111
published 2025-03-04CVE-2025-27111: Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can…
PriorityP345high7.5CVSS 3.1
AVNACLPRNUINSUCNIHAN
EPSS
0.70%
48.4th percentile
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
Affected
9 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| debian | ruby-rack | < ruby-rack 2.2.13-1~deb12u1 (bookworm) | ruby-rack 2.2.13-1~deb12u1 (bookworm) |
| rack | rack | < 2.2.12 | 2.2.12 |
| rack | rack | — | — |
| rack | rack | — | — |
| rack | rack | >= 0 < 2.2.12 | 2.2.12 |
| rack | rack | >= 3.0 < 3.0.13 | 3.0.13 |
| rack | rack | >= 3.0.0 < 3.0.13 | 3.0.13 |
| rack | rack | >= 3.1 < 3.1.11 | 3.1.11 |
| rack | rack | >= 3.1.0 < 3.1.11 | 3.1.11 |
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N
nvdv4.06.9MEDIUMCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
osv6.9MEDIUM
vendor_debian6.9MEDIUM
vendor_redhat6.9MEDIUM
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
ruby-rack vulnerabilities
osv·2025-07-23·CVSS 5.7
CVE-2025-25184 [MEDIUM] ruby-rack vulnerabilities
ruby-rack vulnerabilities
USN-7366-1 fixed vulnerabilities in Rack. This update provides the
corresponding updates for Ubuntu 25.04.
Original advisory details:
Nhật Thái Đỗ discovered that Rack incorrectly handled certain usernames. A
remote attacker could possibly use this issue to perform CRLF injection.
(CVE-2025-25184)
Phạm Quang Minh discovered that Rack incorrectly handled certain headers. A
remote attacker could possibly use this issue to perform log injection.
(CVE-2025-27111)
Phạm Quang Minh discovered that Rack did not properly handle relative file
paths. A remote attacker could potentially exploit this to include local
files that should have been inaccessible. (CVE-2025-27610)
OSV
ruby-rack vulnerabilities
osv·2025-03-24·CVSS 5.7
CVE-2025-25184 [MEDIUM] ruby-rack vulnerabilities
ruby-rack vulnerabilities
Nhật Thái Đỗ discovered that Rack incorrectly handled certain usernames. A
remote attacker could possibly use this issue to perform CRLF injection.
(CVE-2025-25184)
Phạm Quang Minh discovered that Rack incorrectly handled certain headers. A
remote attacker could possibly use this issue to perform log injection.
(CVE-2025-27111)
Phạm Quang Minh discovered that Rack did not properly handle relative file
paths. A remote attacker could potentially exploit this to include local
files that should have been inaccessible. (CVE-2025-27610)
GHSA
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
ghsa·2025-03-04
CVE-2025-27111 [MEDIUM] CWE-117 Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary
`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.
## Details
The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.
## Impact
This vulnerability can distort log files, obscure attack traces, and complicate security auditing.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`.
OSV
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
osv·2025-03-04
CVE-2025-27111 [MEDIUM] Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary
`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.
## Details
The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.
## Impact
This vulnerability can distort log files, obscure attack traces, and complicate security auditing.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`.
OSV
CVE-2025-27111: Rack is a modular Ruby web server interface
osv·2025-03-04·CVSS 6.9
CVE-2025-27111 [MEDIUM] CVE-2025-27111: Rack is a modular Ruby web server interface
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2025-07-23·CVSS 6.5
CVE-2025-25184 [MEDIUM] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
USN-7366-1 fixed vulnerabilities in Rack. This update provides the
corresponding updates for Ubuntu 25.04.
Original advisory details:
Nhật Thái Đỗ discovered that Rack incorrectly handled certain usernames. A
remote attacker could possibly use this issue to perform CRLF injection.
(CVE-2025-25184)
Phạm Quang Minh discovered that Rack incorrectly handled certain headers. A
remote attacker could possibly use this issue to perform log injection.
(CVE-2025-27111)
Phạm Quang Minh discovered that Rack did not properly handle relative file
paths. A remote attacker could potentially exploit this to include local
files that should have been inaccessible. (CVE-2025-27610)
Instructions: In general, a standard syst
Ubuntu
Rack vulnerabilities
vendor_ubuntu·2025-03-24·CVSS 6.5
CVE-2025-27610 [MEDIUM] Rack vulnerabilities
Title: Rack vulnerabilities
Summary: Several security issues were fixed in Rack.
Nhật Thái Đỗ discovered that Rack incorrectly handled certain usernames. A
remote attacker could possibly use this issue to perform CRLF injection.
(CVE-2025-25184)
Phạm Quang Minh discovered that Rack incorrectly handled certain headers. A
remote attacker could possibly use this issue to perform log injection.
(CVE-2025-27111)
Phạm Quang Minh discovered that Rack did not properly handle relative file
paths. A remote attacker could potentially exploit this to include local
files that should have been inaccessible. (CVE-2025-27610)
Instructions: In general, a standard system update will make all the necessary changes.
Red Hat
rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
vendor_redhat·2025-03-04·CVSS 6.9
CVE-2025-27111 [MEDIUM] CWE-117 rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
rack: rubygem-rack: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
A flaw was found in Rack Rubygem, where the Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. This flaw allows an attacker to inject escape sequences, such as newline characters, into the header, resulting in log injection.
Mitigation: To mitigate this vulnerability, remove usage of Rack::Sendfile.
Package: openshift-logging
Debian
CVE-2025-27111: ruby-rack - Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs ...
vendor_debian·2025·CVSS 6.9
CVE-2025-27111 [MEDIUM] CVE-2025-27111: ruby-rack - Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs ...
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
Scope: local
bookworm: resolved (fixed in 2.2.13-1~deb12u1)
bullseye: resolved (fixed in 2.1.4-3+deb11u3)
forky: resolved (fixed in 3.1.12-1)
sid: resolved (fixed in 3.1.12-1)
trixie: resolved (fixed in 3.1.12-1)
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30bhttps://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6vhttps://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
2025-03-04
Published