CVE-2025-25184

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-25184
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
CVSS

No CVSS.

References
Link Resource
https://github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8e
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg
Configurations

No configuration.

History

14 Feb 2025, 20:15

Type Values Removed Values Added
Summary
  • (es) Rack proporciona una interfaz para desarrollar aplicaciones web en Ruby. Antes de las versiones 2.2.11, 3.0.12 y 3.1.11, Rack::CommonLogger se puede explotar creando entradas que incluyan caracteres de nueva línea para manipular las entradas del registro. La prueba de concepto proporcionada demuestra la inyección de contenido malicioso en los registros. Cuando un usuario proporciona las credenciales de autorización a través de Rack::Auth::Basic, si tiene éxito, el nombre de usuario se colocará en env['REMOTE_USER'] y luego será utilizado por Rack::CommonLogger para fines de registro. El problema ocurre cuando un servidor intencional o involuntariamente permite la creación de un usuario con el nombre de usuario que contiene caracteres CRLF y espacios en blanco, o el servidor solo desea registrar cada intento de inicio de sesión. Si un atacante ingresa un nombre de usuario con caracteres CRLF, el registrador registrará el nombre de usuario malicioso con caracteres CRLF en el archivo de registro. Los atacantes pueden romper los formatos de registro o insertar entradas fraudulentas, lo que podría ocultar la actividad real o inyectar datos maliciosos en los archivos de registro. Las versiones 2.2.11, 3.0.12 y 3.1.11 contienen una corrección.
Summary (en) Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.11, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.11 contain a fix. (en) Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.

12 Feb 2025, 17:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-02-12 17:15

Updated : 2025-02-14 20:15

NVD link : CVE-2025-25184

Mitre link : CVE-2025-25184

CVE.ORG link : CVE-2025-25184

JSON object : View

Products Affected

No product.

CWE
CWE-93

Improper Neutralization of CRLF Sequences ('CRLF Injection')

CWE-117

Improper Output Neutralization for Logs