By clicking "Accept", you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

PreferencesRejectAccept
Manage Consent Preferences by Category
Essentials
Always active

Necessary for the site to function. Always On.

Used for targeted advertising.

Remembers your preferences and provides enhanced features.

Measures usage and improves your experience.

Reject AllAccept All
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
View all Vulnerabilities

CVE-2025-25184

Affects
Rack
<2.2.11, <3.0.12, <3.1.10
in
Rails
No items found.
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs

View NES Solution

Overview

Rack provides an interface for developing web applications in Ruby. A vulnerability was identified in the Rack::CommonLogger component, where attackers can exploit CRLF injection to manipulate log entries. This issue is prevalent when usernames containing CRLF characters are logged, which can break log formats or insert fraudulent entries. This affects versions before 2.2.11, 3.0.12, and 3.1.10.

Details

Module Info

Product: Rack

Affected packages: rack

Affected versions: <2.2.11, <3.0.12, <3.1.10

Github repository: https://github.com/rack/rack

Published packages: https://rubygems.org/gems/rack

Package manager: RubyGems

Fixed in: Rack v2.2.11, v3.0.12, v3.1.10

Vulnerability Info

CVE-2025-25184 is a medium-severity vulnerability in Rack::CommonLogger, affecting versions before 2.2.11, 3.0.12, and 3.1.10. It allows CRLF characters to be injected into log entries via malicious usernames, potentially obscuring real activities or injecting malicious data into log files. The issue occurs when the application logs usernames containing CRLF characters, which can manipulate the log format.

Steps To Reproduce

1. Set up a Rack application using an affected version. 2. Create a user with a username containing CRLF characters. 3. Log in using this username. 4. Observe the log entries to see if the malicious username affects the log format.

Credit

HexSave

Mitigation

Upgrade to Rack versions 2.2.11, 3.0.12, or 3.1.10 where the issue is fixed. If an upgrade is not possible, consider using a commercial support partner like HeroDevs to implement a custom logging solution that sanitizes log inputs.

Pink arrow
Pink arrow
CVE-2012-2695
CVE-2013-0156
CVE-2013-0277
CVE-2014-3483
CVE-2015-7581
CVE-2016-2098
CVE-2019-5418
CVE-2019-5420
CVE-2019-5418
CVE-2020-8159
CVE-2020-8165
CVE-2020-8162
CVE-2020-8163
CVE-2020-8161
CVE-2022-21831
CVE-2022-30123
CVE-2023-22794
CVE-2024-26142
CVE-2014-3482
CVE-2025-25184
What is a HeroDevs Security Advisory?
Vulnerability Details
ID
CVE-2025-25184
PROJECT Affected
Rack
Versions Affected
<2.2.11, <3.0.12, <3.1.10
Published date
February 14, 2025
≈ Fix date
February 14, 2025
Fixed in
Ruby on Rails NES
Severity
Medium
Category
Sign up for the latest vulnerability alerts fixed in
Ruby on Rails NES
Rss feed icon
Subscribe via RSS
or
Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.