CVE-2025-46336

  1. OpenCVE
  2. Vulnerabilities (CVE)
  3. CVE-2025-46336
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.

4.2 /10

CVSS v3 : MEDIUM

V3 Legend

Vector :

Exploitability : 1.6 / Impact : 2.5

Attack Vector NETWORK

Attack Complexity HIGH

Privileges Required LOW

User Interaction NONE

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope UNCHANGED

References
Link Resource
https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b
https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
Configurations

No configuration.

History

12 May 2025, 17:32

Type Values Removed Values Added
Summary
  • (es) Rack::Session es una implementación de gestión de sesiones para Rack. En versiones desde la 2.0.0 hasta anteriores a la 2.1.1, al usar el middleware Rack::Session::Pool, y siempre que el atacante pueda obtener una cookie de sesión (un problema ya grave), la sesión puede restaurarse si el atacante activa una solicitud de larga duración (dentro de la misma sesión) junto al cierre de sesión del usuario, para así conservar el acceso ilícito incluso después de que el usuario haya intentado cerrar sesión. Este problema se ha corregido en la versión 2.1.1.

08 May 2025, 20:15

Type Values Removed Values Added
New CVE
Information

Published : 2025-05-08 20:15

Updated : 2025-05-12 17:32

NVD link : CVE-2025-46336

Mitre link : CVE-2025-46336

CVE.ORG link : CVE-2025-46336

JSON object : View

Products Affected

No product.

CWE
CWE-362

Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')

CWE-367

Time-of-check Time-of-use (TOCTOU) Race Condition

CWE-613

Insufficient Session Expiration