Source: ruby-rack Version: 3.0.8-4 Severity: important Tags: security upstream X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org>
Hi, The following vulnerability was published for ruby-rack. CVE-2025-25184[0]: | Rack provides an interface for developing web applications in Ruby. | Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can | be exploited by crafting input that includes newline characters to | manipulate log entries. The supplied proof-of-concept demonstrates | injecting malicious content into logs. When a user provides the | authorization credentials via Rack::Auth::Basic, if success, the | username will be put in env['REMOTE_USER'] and later be used by | Rack::CommonLogger for logging purposes. The issue occurs when a | server intentionally or unintentionally allows a user creation with | the username contain CRLF and white space characters, or the server | just want to log every login attempts. If an attacker enters a | username with CRLF character, the logger will log the malicious | username with CRLF characters into the logfile. Attackers can break | log formats or insert fraudulent entries, potentially obscuring real | activity or injecting malicious data into log files. Versions | 2.2.11, 3.0.12, and 3.1.10 contain a fix. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-25184 https://www.cve.org/CVERecord?id=CVE-2025-25184 [1] https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg [2] https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e Please adjust the affected versions in the BTS as needed. Regards, Salvatore
