Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2025-25184
Modified
More InfoOfficial Page
Source-security-advisories@github.com
View Known Exploited Vulnerability (KEV) details
Published At-12 Feb, 2025 | 17:15
Updated At-03 Nov, 2025 | 22:18

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary4.05.7MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary3.16.5MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Type: Secondary
Version: 4.0
Base score: 5.7
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Type: Primary
Version: 3.1
Base score: 6.5
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
CPE Matches
rack
rack
>>rack>>Versions before 2.2.11(exclusive)
cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
rack
rack
>>rack>>Versions from 3.0.0(inclusive) to 3.0.12(exclusive)
cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
rack
rack
>>rack>>Versions from 3.1.0(inclusive) to 3.1.10(exclusive)
cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*
Weaknesses
CWE IDTypeSource
CWE-93Secondarysecurity-advisories@github.com
CWE-117Secondarysecurity-advisories@github.com
CWE ID: CWE-93
Type: Secondary
Source: security-advisories@github.com
CWE ID: CWE-117
Type: Secondary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8esecurity-advisories@github.com
Patch
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rgsecurity-advisories@github.com
Exploit
Vendor Advisory
https://lists.debian.org/debian-lts-announce/2025/03/msg00016.htmlaf854a3a-2127-422b-91ae-364da2661108
N/A
Hyperlink: https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
Source: security-advisories@github.com
Resource:
Patch
Hyperlink: https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
Source: security-advisories@github.com
Resource:
Exploit
Vendor Advisory
Hyperlink: https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
Source: af854a3a-2127-422b-91ae-364da2661108
Resource: N/A
Change History
0Changes found
Details not found