8000 Updated advisory posts against rubysec/ruby-advisory-db@1f5c25f · rubysec/rubysec.github.io@129540d · GitHub
[go: up one dir, main page]

Skip to content

Commit 129540d

Browse files
jasnowRubySec CI
authored and
RubySec CI
committed
Updated advisory posts against rubysec/ruby-advisory-db@1f5c25f
1 parent 58a0875 commit 129540d

File tree

3 files changed

+189
-0
lines changed

3 files changed

+189
-0
lines changed
Lines changed: 64 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,64 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2025-32441 (rack): Rack session gets restored after deletion'
4+
comments: false
5+
categories:
6+
- rack
7+
advisory:
8+
gem: rack
9+
cve: 2025-32441
10+
ghsa: vpfw-47h7-xj4g
11+
url: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
12+
title: Rack session gets restored after deletion
13+
date: 2025-05-08
14+
description: |
15+
### Summary
16+
17+
When using the `Rack::Session::Pool` middleware, simultaneous rack
18+
requests can restore a deleted rack session, which allows the
19+
unauthenticated user to occupy that session.
20+
21+
### Details
22+
23+
[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270)
24+
prepares the session at the beginning of request, then saves is back
25+
to the store with possible changes applied by host rack application.
26+
This way the session becomes to be a subject of race conditions in
27+
general sense over concurrent rack requests.
28+
29+
### Impact
30+
31+
When using the `Rack::Session::Pool` middleware, and provided the
32+
attacker can acquire a session cookie (already a major issue), the
33+
session may be restored if the attacker can trigger a long running
34+
request (within that same session) adjacent to the user logging out,
35+
in order to retain illicit access even after a user has attempted to logout.
36+
37+
## Mitigation
38+
39+
- Update to the latest version of `rack`, or
40+
- Ensure your application invalidates sessions atomically by marking
41+
them as logged out e.g., using a `logged_out` flag, instead of
42+
deleting them, and check this flag on every request to prevent reuse, or
43+
- Implement a custom session store that tracks session invalidation
44+
timestamps and refuses to accept session data if the session was
45+
invalidated after the request began.
46+
47+
### Related
48+
49+
As this code was moved to `rack-session` in Rack 3+, see
50+
<https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj>
51+
for the equivalent advisory in `rack-session` (affecting Rack 3+ only).
52+
cvss_v3: 4.2
53+
patched_versions:
54+
- ">= 2.2.14"
8000 55+
related:
56+
ghsa:
57+
- https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
58+
url:
59+
- https://nvd.nist.gov/vuln/detail/CVE-2025-32441
60+
- https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
61+
- https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d
62+
- https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270
63+
- https://github.com/advisories/GHSA-vpfw-47h7-xj4g
64+
---
Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2025-46336 (rack-session): Rack session gets restored after deletion'
4+
comments: false
5+
categories:
6+
- rack-session
7+
advisory:
8+
gem: rack-session
9+
cve: 2025-46336
10+
ghsa: 9j94-67jr-4cqj
11+
url: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
12+
title: Rack session gets restored after deletion
13+
date: 2025-05-08
14+
description: |
15+
## Summary
16+
17+
When using the `Rack::Session::Pool` middleware, simultaneous rack
18+
requests can restore a deleted rack session, which allows the
19+
unauthenticated user to occupy that session.
20+
21+
## Details
22+
23+
[Rack session middleware](https://github.com/rack/rack-session/blob/v2.1.0/lib/rack/session/abstract/id.rb#L271-L278)
24+
prepares the session at the beginning of request, then saves is back
25+
to the store with possible changes applied by host rack application.
26+
This way the session becomes to be a subject of race conditions in
27+
general sense over concurrent rack requests.
28+
29+
## Impact
30+
31+
When using the `Rack::Session::Pool` middleware, and provided the
32+
attacker can acquire a session cookie (already a major issue), the
33+
session may be restored if the attacker can trigger a long running
34+
request (within that same session) adjacent to the user logging out,
35+
in order to retain illicit access even after a user has attempted to logout.
36+
37+
## Mitigation
38+
39+
- Update to the latest version of `rack-session`, or
40+
- Ensure your application invalidates sessions atomically by marking
41+
them as logged out e.g., using a `logged_out` flag, instead of
42+
deleting them, and check this flag on every request to prevent reuse, or
43+
- Implement a custom session store that tracks session invalidation
44+
timestamps and refuses to accept session data if the session was
45+
invalidated after the request began.
46+
47+
## Related
48+
49+
This code was previously part of `rack` in Rack < 3, see
50+
<https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g>
51+
for the equivalent advisory in `rack` (affecting Rack < 3 only).
52+
cvss_v3: 4.2
53+
unaffected_versions:
54+
- "< 2.0.0"
55+
patched_versions:
56+
- ">= 2.1.1"
57+
related:
58+
ghsa:
59+
- https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
60+
url:
61+
- https://nvd.nist.gov/vuln/detail/CVE-2025-46336
62+
- https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b
63+
- https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
64+
- https://github.com/advisories/GHSA-9j94-67jr-4cqj
65+
---
Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
---
2+
layout: advisory
3+
title: 'CVE-2025-46727 (rack): Rack has an Unbounded-Parameter DoS in Rack::QueryParser'
4+
comments: false
5+
categories:
6+
- rack
7+
advisory:
8+
gem: rack
9+
cve: 2025-46727
10+
ghsa: gjh7-p2fx-99vx
11+
url: https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
12+
title: Rack has an Unbounded-Parameter DoS in Rack::QueryParser
13+
date: 2025-05-08
14+
description: |
15+
## Summary
16+
17+
`Rack::QueryParser` parses query strings and
18+
`application/x-www-form-urlencoded` bodies into Ruby data structures
19+
without imposing any limit on the number of parameters, allowing
20+
attackers to send requests with extremely large numbers of parameters.
21+
22+
## Details
23+
24+
The vulnerability arises because `Rack::QueryParser` iterates over
25+
each `&`-separated key-value pair and adds it to a Hash without
26+
enforcing an upper bound on the total number of parameters. This
27+
allows an attacker to send a single request containing hundreds of
28+
thousands (or more) of parameters, which consumes excessive memory
29+
and CPU during parsing.
30+
31+
## Impact
32+
33+
An attacker can trigger denial of service by sending specifically
34+
crafted HTTP requests, which can cause memory exhaustion or pin CPU
35+
resources, stalling or crashing the Rack server. This results in
36+
full service disruption until the affected worker is restarted.
37+
38+
## Mitigation
39+
40+
- Update to a version of Rack that limits the number of parameters parsed, or
41+
- Use middleware to enforce a maximum query string size or parameter count, or
42+
- Employ a reverse proxy (such as Nginx) to limit request sizes and
43+
reject oversized query strings or bodies.
44+
45+
Limiting request body sizes and query string lengths at the web
46+
server or CDN level is an effective mitigation.
47+
cvss_v3: 7.5
48+
patched_versions:
49+
- "~> 2.2.14"
50+
- "~> 3.0.16"
51+
- ">= 3.1.14"
52+
related:
53+
url:
54+
- https://nvd.nist.gov/vuln/detail/CVE-2025-46727
55+
- https://github.com/rack/rack/security/advisories/GHSA-gjh7-p2fx-99vx
56+
- https://github.com/rack/rack/commit/2bb5263b464b65ba4b648996a579dbd180d2b712
57+
- https://github.com/rack/rack/commit/3f5a4249118d09d199fe480466c8c6717e43b6e3
58+
- https://github.com/rack/rack/commit/cd6b70a1f2a1016b73dc906f924869f4902c2d74
59+
- https://github.com/advisories/GHSA-gjh7-p2fx-99vx
60+
---

0 commit comments

Comments
 (0)
0