#VU111976 Race condition in Rack - CVE-2025-32441

Cybersecurity Help s.r.o.

Published: 2025-06-26

Vulnerability identifier: #VU111976

Vulnerability risk: Low

CVSSv4.0: 0.6 [CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2025-32441

CWE-ID: CWE-362

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
Rack
Web applications / Modules and components for CMS

Vendor: Rack

Description

The vulnerability allows a remote user to escalate privileges on the system.

The vulnerability exists because when using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session. A remote user can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

Rack: 1.0, 1.0.0, 1.0.1, 1.1, 1.1.0, 1.1.1, 1.1.2, 1.1.3, 1.1.4, 1.1.5, 1.1.6, 1.2, 1.2.0, 1.2.1, 1.2.2, 1.2.3, 1.2.4, 1.2.5, 1.2.6, 1.2.7, 1.2.8, 1.3, 1.3.0, 1.3.1, 1.3.2, 1.3.3, 1.3.4, 1.3.5, 1.3.6, 1.3.7, 1.3.8, 1.3.9, 1.3.10, 1.4, 1.4.0, 1.4.1, 1.4.2, 1.4.3, 1.4.4, 1.4.5, 1.4.6, 1.4.7, 1.5, 1.5.0, 1.5.1, 1.5.2, 1.5.3, 1.5.4, 1.5.5, 1.6, 1.6.0, 1.6.1, 1.6.2, 1.6.3, 1.6.4, 1.6.5, 1.6.6, 1.6.7, 1.6.8, 1.6.9, 1.6.10, 1.6.11, 1.6.12, 1.6.13, 2.0, 2.0.0, 2.0.1, 2.0.2, 2.0.3, 2.0.4, 2.0.5, 2.0.6, 2.0.7, 2.0.8, 2.0.9, 2.0.9.1, 2.0.9.2, 2.0.9.3, 2.0.9.4, 2.1.0, 2.1.1, 2.1.2, 2.1.3, 2.1.4, 2.1.4.1, 2.1.4.2, 2.1.4.3, 2.1.4.4, 2.2.0, 2.2.1, 2.2.2, 2.2.3, 2.2.3.1, 2.2.4, 2.2.5, 2.2.6, 2.2.6.1, 2.2.6.2, 2.2.6.3, 2.2.6.4, 2.2.7, 2.2.8, 2.2.8.1, 2.2.9, 2.2.10, 2.2.11, 2.2.12, 2.2.13

External links
https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270
https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d
https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

Latest bulletins with this vulnerability

Multiple vulnerabilities in IBM Cloud Pak for AIOps

Ubuntu update for ruby-rack

SUSE update for rubygem-rack

Race condition in Rack