CVE-2025-32441 — Race Condition in Rack

CWE-362 — Race Condition CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition CWE-613 — Insufficient Session Expiration8 documents6 sources

Severity

4.2MEDIUMNVD

EPSS

0.1%

top 73.56%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Rack Debian Ruby-rack

Timeline

PublishedMay 7

Latest updateMay 12

Description

Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurre…

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:NExploitability: 1.6 | Impact: 2.5

Affected Packages3 packages

▶debiandebian/ruby-rack< ruby-rack 2.2.20-0+deb12u1 (bookworm)

▶NVDrack/rack< 2.2.14

▶RubyGemsrack/rack< 2.2.14

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

ruby-rack vulnerabilities↗2025-05-12

▶

GHSA

Rack session gets restored after deletion↗2025-05-08

▶

OSV

Rack session gets restored after deletion↗2025-05-08

▶

OSV

CVE-2025-32441: Rack is a modular Ruby web server interface↗2025-05-07

▶

📋Vendor Advisories

Ubuntu

Rack vulnerabilities↗2025-05-12

▶

Red Hat

rack: Rack Session Reuse Vulnerability↗2025-05-07

▶

Debian

CVE-2025-32441: ruby-rack - Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using...↗2025

▶