Possible Log Injection in Rack::CommonLogger
Description
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rackRubyGems | < 2.2.11 | 2.2.11 |
rackRubyGems | >= 3.0, < 3.0.12 | 3.0.12 |
rackRubyGems | >= 3.1, < 3.1.10 | 3.1.10 |
Affected products
189- osv-coords188 versionspkg:apk/chainguard/gitaly-config-17.6pkg:apk/chainguard/gitaly-config-17.7pkg:apk/chainguard/gitlab-base-17.6pkg:apk/chainguard/gitlab-base-17.7pkg:apk/chainguard/gitlab-certificates-17.6pkg:apk/chainguard/gitlab-certificates-17.7pkg:apk/chainguard/gitlab-cfssl-self-sign-scripts-17.6pkg:apk/chainguard/gitlab-cfssl-self-sign-scripts-17.7pkg:apk/chainguard/gitlab-cng-17.6pkg:apk/chainguard/gitlab-cng-17.7pkg:apk/chainguard/gitlab-cng-17.8pkg:apk/chainguard/gitlab-container-registry-17.6pkg:apk/chainguard/gitlab-container-registry-17.7pkg:apk/chainguard/gitlab-container-registry-compat-17.6pkg:apk/chainguard/gitlab-container-registry-compat-17.7pkg:apk/chainguard/gitlab-container-registry-scripts-17.6pkg:apk/chainguard/gitlab-container-registry-scripts-17.7pkg:apk/chainguard/gitlab-elasticsearch-indexer-17.6pkg:apk/chainguard/gitlab-elasticsearch-indexer-17.7pkg:apk/chainguard/gitlab-elasticsearch-indexer-compat-17.6pkg:apk/chainguard/gitlab-elasticsearch-indexer-compat-17.7pkg:apk/chainguard/gitlab-exporter-17.6pkg:apk/chainguard/gitlab-exporter-17.7pkg:apk/chainguard/gitlab-exporter-scripts-17.6pkg:apk/chainguard/gitlab-exporter-scripts-17.7pkg:apk/chainguard/gitlab-geo-logcursor-scripts-17.6pkg:apk/chainguard/gitlab-geo-logcursor-scripts-17.7pkg:apk/chainguard/gitlab-gitaly-scripts-17.6pkg:apk/chainguard/gitlab-gitaly-scripts-17.7pkg:apk/chainguard/gitlab-logger-17.6pkg:apk/chainguard/gitlab-logger-17.7pkg:apk/chainguard/gitlab-logger-compat-17.6pkg:apk/chainguard/gitlab-logger-compat-17.7pkg:apk/chainguard/gitlab-mailroom-17.6pkg:apk/chainguard/gitlab-mailroom-17.7pkg:apk/chainguard/gitlab-mailroom-scripts-17.6pkg:apk/chainguard/gitlab-mailroom-scripts-17.7pkg:apk/chainguard/gitlab-pages-scripts-17.6pkg:apk/chainguard/gitlab-pages-scripts-17.7pkg:apk/chainguard/gitlab-rails-ee-assets-fips-17.8pkg:apk/chainguard/gitlab-rails-ee-doc-fips-17.8pkg:apk/chainguard/gitlab-rails-ee-fips-17.8pkg:apk/chainguard/gitlab-rails-scripts-17.6pkg:apk/chainguard/gitlab-rails-scripts-17.7pkg:apk/chainguard/gitlab-shell-17.6pkg:apk/chainguard/gitlab-shell-17.7pkg:apk/chainguard/gitlab-shell-scripts-17.6pkg:apk/chainguard/gitlab-shell-scripts-17.7pkg:apk/chainguard/gitlab-shell-scripts-compat-17.6pkg:apk/chainguard/gitlab-shell-scripts-compat-17.7pkg:apk/chainguard/gitlab-sidekiq-scripts-17.6pkg:apk/chainguard/gitlab-sidekiq-scripts-17.7pkg:apk/chainguard/gitlab-toolbox-scripts-17.6pkg:apk/chainguard/gitlab-toolbox-scripts-17.7pkg:apk/chainguard/gitlab-webservice-config-17.6pkg:apk/chainguard/gitlab-webservice-config-17.7pkg:apk/chainguard/gitlab-webservice-scripts-17.6pkg:apk/chainguard/gitlab-webservice-scripts-17.7pkg:apk/chainguard/gitlab-workhorse-scripts-17.6pkg:apk/chainguard/gitlab-workhorse-scripts-17.7pkg:apk/chainguard/kube-fluentd-operatorpkg:apk/chainguard/kube-fluentd-operator-compatpkg:apk/chainguard/kube-fluentd-operator-default-configpkg:apk/chainguard/kube-fluentd-operator-oci-entrypointpkg:apk/chainguard/logstash-8pkg:apk/chainguard/logstash-8-bitnami-compatpkg:apk/chainguard/logstash-8-compatpkg:apk/chainguard/logstash-8-env2yamlpkg:apk/chainguard/logstash-8-iamguarded-compatpkg:apk/chainguard/logstash-8-with-output-opensearchpkg:apk/chainguard/logstash-jre-bcfipspkg:apk/chainguard/logstash-jre-bcfips-compatpkg:apk/chainguard/logstash-jre-bcfips-env2yamlpkg:apk/chainguard/logstash-jre-bcfips-with-output-opensearchpkg:apk/chainguard/ruby3.2-rackpkg:apk/chainguard/ruby3.2-rack-2.2pkg:apk/chainguard/ruby3.2-rails-7.1pkg:apk/chainguard/ruby3.2-rails-7.1-compatpkg:apk/chainguard/ruby3.2-rails-7.2pkg:apk/chainguard/ruby3.2-rails-7.2-compatpkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.0-compatpkg:apk/chainguard/ruby3.3-rackpkg:apk/chainguard/ruby3.3-rack-2.2pkg:apk/chainguard/ruby3.3-rails-7.1pkg:apk/chainguard/ruby3.3-rails-7.1-compatpkg:apk/chainguard/ruby3.3-rails-7.2pkg:apk/chainguard/ruby3.3-rails-7.2-compatpkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.0-compatpkg:apk/chainguard/ruby3.4-rackpkg:apk/chainguard/ruby3.4-rack-2.2pkg:apk/chainguard/ruby3.4-rails-7.1pkg:apk/chainguard/ruby3.4-rails-7.1-compatpkg:apk/chainguard/ruby3.4-rails-7.2pkg:apk/chainguard/ruby3.4-rails-7.2-compatpkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.0-compatpkg:apk/chainguard/ruby4.0-rack-2.2pkg:apk/wolfi/gitaly-config-17.6pkg:apk/wolfi/gitaly-config-17.7pkg:apk/wolfi/gitlab-base-17.6pkg:apk/wolfi/gitlab-base-17.7pkg:apk/wolfi/gitlab-certificates-17.6pkg:apk/wolfi/gitlab-certificates-17.7pkg:apk/wolfi/gitlab-cfssl-self-sign-scripts-17.6pkg:apk/wolfi/gitlab-cfssl-self-sign-scripts-17.7pkg:apk/wolfi/gitlab-cng-17.6pkg:apk/wolfi/gitlab-cng-17.7pkg:apk/wolfi/gitlab-cng-17.8pkg:apk/wolfi/gitlab-container-registry-17.6pkg:apk/wolfi/gitlab-container-registry-17.7pkg:apk/wolfi/gitlab-container-registry-compat-17.6pkg:apk/wolfi/gitlab-container-registry-compat-17.7pkg:apk/wolfi/gitlab-container-registry-scripts-17.6pkg:apk/wolfi/gitlab-container-registry-scripts-17.7pkg:apk/wolfi/gitlab-elasticsearch-indexer-17.6pkg:apk/wolfi/gitlab-elasticsearch-indexer-17.7pkg:apk/wolfi/gitlab-elasticsearch-indexer-compat-17.6pkg:apk/wolfi/gitlab-elasticsearch-indexer-compat-17.7pkg:apk/wolfi/gitlab-exporter-17.6pkg:apk/wolfi/gitlab-exporter-17.7pkg:apk/wolfi/gitlab-exporter-scripts-17.6pkg:apk/wolfi/gitlab-exporter-scripts-17.7pkg:apk/wolfi/gitlab-geo-logcursor-scripts-17.6pkg:apk/wolfi/gitlab-geo-logcursor-scripts-17.7pkg:apk/wolfi/gitlab-gitaly-scripts-17.6pkg:apk/wolfi/gitlab-gitaly-scripts-17.7pkg:apk/wolfi/gitlab-logger-17.6pkg:apk/wolfi/gitlab-logger-17.7pkg:apk/wolfi/gitlab-logger-compat-17.6pkg:apk/wolfi/gitlab-logger-compat-17.7pkg:apk/wolfi/gitlab-mailroom-17.6pkg:apk/wolfi/gitlab-mailroom-17.7pkg:apk/wolfi/gitlab-mailroom-scripts-17.6pkg:apk/wolfi/gitlab-mailroom-scripts-17.7pkg:apk/wolfi/gitlab-pages-scripts-17.6pkg:apk/wolfi/gitlab-pages-scripts-17.7pkg:apk/wolfi/gitlab-rails-scripts-17.6pkg:apk/wolfi/gitlab-rails-scripts-17.7pkg:apk/wolfi/gitlab-shell-17.6pkg:apk/wolfi/gitlab-shell-17.7pkg:apk/wolfi/gitlab-shell-scripts-17.6pkg:apk/wolfi/gitlab-shell-scripts-17.7pkg:apk/wolfi/gitlab-shell-scripts-compat-17.6pkg:apk/wolfi/gitlab-shell-scripts-compat-17.7pkg:apk/wolfi/gitlab-sidekiq-scripts-17.6pkg:apk/wolfi/gitlab-sidekiq-scripts-17.7pkg:apk/wolfi/gitlab-toolbox-scripts-17.6pkg:apk/wolfi/gitlab-toolbox-scripts-17.7pkg:apk/wolfi/gitlab-webservice-config-17.6pkg:apk/wolfi/gitlab-webservice-config-17.7pkg:apk/wolfi/gitlab-webservice-scripts-17.6pkg:apk/wolfi/gitlab-webservice-scripts-17.7pkg:apk/wolfi/gitlab-workhorse-scripts-17.6pkg:apk/wolfi/gitlab-workhorse-scripts-17.7pkg:apk/wolfi/kube-fluentd-operatorpkg:apk/wolfi/kube-fluentd-operator-compatpkg:apk/wolfi/kube-fluentd-operator-default-configpkg:apk/wolfi/kube-fluentd-operator-oci-entrypointpkg:apk/wolfi/logstash-8pkg:apk/wolfi/logstash-8-bitnami-compatpkg:apk/wolfi/logstash-8-compatpkg:apk/wolfi/logstash-8-env2yamlpkg:apk/wolfi/logstash-8-iamguarded-compatpkg:apk/wolfi/logstash-8-with-output-opensearchpkg:apk/wolfi/ruby3.2-rackpkg:apk/wolfi/ruby3.2-rack-2.2pkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.0-compatpkg:apk/wolfi/ruby3.3-rackpkg:apk/wolfi/ruby3.3-rack-2.2pkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.0-compatpkg:apk/wolfi/ruby3.4-rackpkg:apk/wolfi/ruby3.4-rack-2.2pkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.0-compatpkg:apk/wolfi/ruby4.0-rack-2.2pkg:gem/rackpkg:rpm/opensuse/rubygem-rack-1_6&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/rubygem-rack-2.2&distro=openSUSE%20Tumbleweedpkg:rpm/opensuse/rubygem-rack&distro=openSUSE%20Leap%2015.6pkg:rpm/opensuse/rubygem-rack&distro=openSUSE%20Tumbleweedpkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP3pkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP4pkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP5pkg:rpm/suse/rubygem-rack&distro=SUSE%20Linux%20Enterprise%20High%20Availability%20Extension%2015%20SP6
< 17.6.5-r0+ 187 more
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.8.2-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.8.2-r0
- (no CPE)range: < 17.8.2-r0
- (no CPE)range: < 17.8.2-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.3-r0
- (no CPE)range: < 8.17.3-r0
- (no CPE)range: < 8.17.3-r0
- (no CPE)range: < 8.17.3-r0
- (no CPE)range: < 3.1.10-r0
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.5.1-r2
- (no CPE)range: < 7.1.5.1-r2
- (no CPE)range: < 7.2.2.1-r2
- (no CPE)range: < 7.2.2.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 3.1.10-r0
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.5.1-r2
- (no CPE)range: < 7.1.5.1-r2
- (no CPE)range: < 7.2.2.1-r2
- (no CPE)range: < 7.2.2.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 3.1.10-r0
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 7.1.5.1-r2
- (no CPE)range: < 7.1.5.1-r2
- (no CPE)range: < 7.2.2.1-r2
- (no CPE)range: < 7.2.2.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.8.2-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 17.6.5-r0
- (no CPE)range: < 17.7.4-r0
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 1.18.2-r23
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 8.17.2-r1
- (no CPE)range: < 3.1.10-r0
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 3.1.10-r0
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 3.1.10-r0
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 8.0.1-r2
- (no CPE)range: < 2.2.22-r0
- (no CPE)range: < 2.2.11
- (no CPE)range: < 1.6.8-150000.3.3.1
- (no CPE)range: < 2.2.11-1.1
- (no CPE)range: < 2.0.8-150000.3.26.1
- (no CPE)range: < 3.1.12-1.1
- (no CPE)range: < 2.0.8-150000.3.26.1
- (no CPE)range: < 2.0.8-150000.3.26.1
- (no CPE)range: < 2.0.8-150000.3.26.1
- (no CPE)range: < 2.0.8-150000.3.26.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-7g2v-jj9q-g3rgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25184ghsaADVISORY
- github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8eghsax_refsource_MISCWEB
- github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rgghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2025/03/msg00016.htmlghsaWEB
News mentions
0No linked articles in our index yet.