CVE-2025-46336: Rack session gets restored after deletion
(updated )
When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
References
- github.com/advisories/GHSA-9j94-67jr-4cqj
- github.com/rack/rack-session
- github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b
- github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
- github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack-session/CVE-2025-46336.yml
- nvd.nist.gov/vuln/detail/CVE-2025-46336
Code Behaviors & Features
Detect and mitigate CVE-2025-46336 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →