#VU105794 CRLF injection in Rack - CVE-2025-25184


Vulnerability identifier: #VU105794

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-25184

CWE-ID: CWE-93

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Rack
Web applications / Modules and components for CMS

Vendor: Rack

Description

The vulnerability allows a remote user to manipulate data log entries.

The vulnerability exists due to insufficient validation of attacker-supplied data in Rack::CommonLogger. A remote user can pass specially crafted authorization credentials containing CR-LF characters to the Rack::Auth::Basic method, which stores this info into the to the env['REMOTE_USER'] variable. If the application accepts CR-LF characters in user name, a remote user can manipulate data log entries.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Rack: 2.2.0 - 2.2.10, 3.0.0 - 3.0.10, 3.1.0 - 3.1.10

External links
https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability


Debian update for ruby-rack
Ubuntu update for ruby-rack
openEuler update for rubygem-rack
Multiple vulnerabilities in IBM License Metric Tool
SUSE update for rubygem-rack
SUSE update for rubygem-rack-1_6
Multiple vulnerabilities in OpenShift Logging 5.9
CRLF injection in Rack