Race Condition Vulnerability in Rack Middleware for Ruby Web Applications
CVE-2025-32441

4.2MEDIUM

Key Information:

Vendor

Rack

Status
Rack
Vendor
CVE Published:
7 May 2025

What is CVE-2025-32441?

The Rack framework, used for Ruby web applications, exhibits a vulnerability in its Rack::Session::Pool middleware that can result in unauthorized session restoration. This occurs due to race conditions present when multiple rack requests are processed simultaneously. If an attacker acquires a session cookie, they may exploit this issue by initiating a long-running request coinciding with a legitimate user logging out, thereby preserving access to the session even after logout attempts. It is crucial for developers to upgrade to version 2.2.14 or later, and consider implementing session invalidation practices, such as marking sessions as logged out or creating a custom session store to manage invalidation timestamps effectively.

Affected Version(s)

rack < 2.2.14

References

https://github.com/rack/rack/security/advisories/GHSA-vpf...
x_refsource_CONFIRM
https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf5...
x_refsource_MISC
https://github.com/rack/rack/blob/v2.2.13/lib/rack/sessio...
x_refsource_MISC

CVSS V3.1

Score:
4.2
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
Low
Availability:
Low
Attack Vector:
Network
Attack Complexity:
High
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.