CVE-2025-27111: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
(updated )
Rack::Sendfile can be exploited by crafting input that includes newline characters to manipulate log entries.
References
- github.com/advisories/GHSA-8cgq-6mh2-7j6v
- github.com/rack/rack
- github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
- github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
- github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
- github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27111.yml
- nvd.nist.gov/vuln/detail/CVE-2025-27111
Detect and mitigate CVE-2025-27111 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →