GHSA-8cgq-6mh2-7j6v

Source

https://github.com/advisories/GHSA-8cgq-6mh2-7j6v

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/03/GHSA-8cgq-6mh2-7j6v/GHSA-8cgq-6mh2-7j6v.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-8cgq-6mh2-7j6v

Aliases

CVE-2025-27111

Related

Published

2025-03-04T15:27:06Z

Modified

2025-03-05T22:11:38.987939Z

Severity

6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X CVSS Calculator

Summary

Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

Details

Summary

Rack::Sendfile can be exploited by crafting input that includes newline characters to manipulate log entries.

Details

The Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

Mitigation

Update to the latest version of Rack, or
Remove usage of Rack::Sendfile.

Database specific

{
    "nvd_published_at": "2025-03-04T16:15:40Z",
    "cwe_ids": [
        "CWE-117",
        "CWE-93"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2025-03-04T15:27:06Z"
}

References

Affected packages

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.2.12

Affected versions

0.*

0.1.0

0.2.0

0.3.0

0.4.0

0.9.0

0.9.1

1.*

1.0.0

1.0.1

1.1.0

1.1.1.pre

1.1.1

1.1.2

1.1.3

1.1.4

1.1.5

1.1.6

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.3.0.beta

1.3.0.beta2

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.4.0

1.4.1

1.4.2

1.4.3

1.4.4

1.4.5

1.4.6

1.4.7

1.5.0.beta.1

1.5.0.beta.2

1.5.0

1.5.1

1.5.2

1.5.3

1.5.4

1.5.5

1.6.0.beta

1.6.0.beta2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.6.5

1.6.6

1.6.7

1.6.8

1.6.9

1.6.10

1.6.11

1.6.12

1.6.13

2.*

2.0.0.alpha

2.0.0.rc1

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.0.8

2.0.9

2.0.9.1

2.0.9.2

2.0.9.3

2.0.9.4

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.4.1

2.1.4.2

2.1.4.3

2.1.4.4

2.2.0

2.2.1

2.2.2

2.2.3

2.2.3.1

2.2.4

2.2.5

2.2.6

2.2.6.1

2.2.6.2

2.2.6.3

2.2.6.4

2.2.7

2.2.8

2.2.8.1

2.2.9

2.2.10

2.2.11

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.0

Fixed

3.0.13

Affected versions

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.4.1

3.0.4.2

3.0.5

3.0.6

3.0.6.1

3.0.7

3.0.8

3.0.9

3.0.9.1

3.0.10

3.0.11

3.0.12

RubyGems / rack

Package

Name: rack
Purl: pkg:gem/rack

Affected ranges

Type: ECOSYSTEM
Events: Introduced

3.1

Fixed

3.1.11

Affected versions

3.*

3.1.0

3.1.1

3.1.2

3.1.3

3.1.4

3.1.5

3.1.6

3.1.7

3.1.8

3.1.9

3.1.10