CVE-2025-32441: Rack session gets restored after deletion
(updated )
When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
References
- github.com/advisories/GHSA-vpfw-47h7-xj4g
- github.com/rack/rack
- github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
- github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb
- github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d
- github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-32441.yml
- nvd.nist.gov/vuln/detail/CVE-2025-32441
Code Behaviors & Features
Detect and mitigate CVE-2025-32441 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →