GHSA-7g2v-jj9q-g3rg

Source

https://github.com/advisories/GHSA-7g2v-jj9q-g3rg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/02/GHSA-7g2v-jj9q-g3rg/GHSA-7g2v-jj9q-g3rg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-7g2v-jj9q-g3rg

Aliases

CVE-2025-25184

Related

Published

2025-02-12T19:18:35Z

Modified

2025-02-18T15:12:02.261635Z

Severity

5.7 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P CVSS Calculator

Summary

Possible Log Injection in Rack::CommonLogger

Details

Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

Mitigation

Update to the latest version of Rack.

Database specific

{
    "nvd_published_at": "2025-02-12T17:15:24Z",
    "cwe_ids": [
        "CWE-117",
        "CWE-93"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-12T19:18:35Z"
}

References

Affected packages

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.11

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1.pre

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.3.0.beta

1.3.0.beta2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.5.0.beta.1

1.5.0.beta.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0.beta

1.6.0.beta2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

2.*

2.0.0.alpha

2.0.0.rc1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.1

2.0.9.2

2.0.9.3

2.0.9.4

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.4.1

2.1.4.2

2.1.4.3

2.1.4.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.3.1

2.2.4

2.2.5

2.2.6

2.2.6.1

2.2.6.2

2.2.6.3

2.2.6.4

2.2.7

2.2.8

2.2.8.1

2.2.9

2.2.10

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0

Fixed

3.0.12

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.4.1

3.0.4.2

3.0.5

3.0.6

3.0.6.1

3.0.7

3.0.8

3.0.9

3.0.9.1

3.0.10

3.0.11

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1

Fixed

3.1.10

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9