CVSS: 9.8EPSS: 0%CPEs: 3EXPL: 0CVE-2025-25184 – Possible Log Injection in Rack::CommonLogger
https://notcve.org/view.php?id=CVE-2025-25184
12 Feb 2025 — Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.11, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The iss... • https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e • CWE-93: Improper Neutralization of CRLF Sequences ('CRLF Injection') CWE-117: Improper Output Neutralization for Logs •
CVSS: 6.8EPSS: 0%CPEs: 1EXPL: 0CVE-2024-39316 – Rack ReDoS Vulnerability in HTTP Accept Headers Parsing
https://notcve.org/view.php?id=CVE-2024-39316
02 Jul 2024 — Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Service (ReDoS) vulnerability exists in the `Rack::Request::Helpers` module when parsing HTTP Accept headers. This vulnerability can be exploited by an attacker sending specially crafted `Accept-Encoding` or `Accept-Language` headers, causing the server to spend excessive time processing the request and leading to a Denial of Service (DoS). The fix for CVE-2024-26146 was not applie... • https://github.com/rack/rack/commit/412c980450ca729ee37f90a2661f166a9665e058 • CWE-1333: Inefficient Regular Expression Complexity •