-
-
Notifications
You must be signed in to change notification settings - Fork 229
Expand file tree
/
Copy pathCVE-2025-46336.yml
More file actions
58 lines (49 loc) · 2.27 KB
/
CVE-2025-46336.yml
File metadata and controls
58 lines (49 loc) · 2.27 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
---
gem: rack-session
cve: 2025-46336
ghsa: 9j94-67jr-4cqj
url: https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
title: Rack session gets restored after deletion
date: 2025-05-08
description: |
## Summary
When using the `Rack::Session::Pool` middleware, simultaneous rack
requests can restore a deleted rack session, which allows the
unauthenticated user to occupy that session.
## Details
[Rack session middleware](https://github.com/rack/rack-session/blob/v2.1.0/lib/rack/session/abstract/id.rb#L271-L278)
prepares the session at the beginning of request, then saves is back
to the store with possible changes applied by host rack application.
This way the session becomes to be a subject of race conditions in
general sense over concurrent rack requests.
## Impact
When using the `Rack::Session::Pool` middleware, and provided the
attacker can acquire a session cookie (already a major issue), the
session may be restored if the attacker can trigger a long running
request (within that same session) adjacent to the user logging out,
in order to retain illicit access even after a user has attempted to logout.
## Mitigation
- Update to the latest version of `rack-session`, or
- Ensure your application invalidates sessions atomically by marking
them as logged out e.g., using a `logged_out` flag, instead of
deleting them, and check this flag on every request to prevent reuse, or
- Implement a custom session store that tracks session invalidation
timestamps and refuses to accept session data if the session was
invalidated after the request began.
## Related
This code was previously part of `rack` in Rack < 3, see
<https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g>
for the equivalent advisory in `rack` (affecting Rack < 3 only).
cvss_v3: 4.2
unaffected_versions:
- "< 2.0.0"
patched_versions:
- ">= 2.1.1"
related:
ghsa:
- https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
url:
- https://nvd.nist.gov/vuln/detail/CVE-2025-46336
- https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b
- https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
- https://github.com/advisories/GHSA-9j94-67jr-4cqj