Possible Log Injection in Rack::CommonLogger
Description
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs. When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes. The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile. Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files. Versions 2.2.11, 3.0.12, and 3.1.10 contain a fix.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rackRubyGems | < 2.2.11 | 2.2.11 |
rackRubyGems | >= 3.0, < 3.0.12 | 3.0.12 |
rackRubyGems | >= 3.1, < 3.1.10 | 3.1.10 |
Affected products
1Patches
1074ae244430cEscape non-printable characters when logging.
2 files changed · +9 −3
lib/rack/common_logger.rb+3 −2 modified@@ -20,7 +20,7 @@ class CommonLogger # The actual format is slightly different than the above due to the # separation of SCRIPT_NAME and PATH_INFO, and because the elapsed # time in seconds is included at the end. - FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f\n} + FORMAT = %{%s - %s [%s] "%s %s%s%s %s" %d %s %0.4f } # +logger+ can be any object that supports the +write+ or +<<+ methods, # which includes the standard library Logger. These methods are called @@ -66,7 +66,8 @@ def log(env, status, response_headers, began_at) length, Utils.clock_time - began_at) - msg.gsub!(/[^[:print:]\n]/) { |c| sprintf("\\x%x", c.ord) } + msg.gsub!(/[^[:print:]]/) { |c| sprintf("\\x%x", c.ord) } + msg[-1] = "\n" logger = @logger || request.get_header(RACK_ERRORS) # Standard library logger doesn't support write but it supports << which actually
test/spec_common_logger.rb+6 −1 modified@@ -107,12 +107,17 @@ def with_mock_time(t = 0) (0..1).must_include duration.to_f end - it "escapes non printable characters except newline" do + it "escapes non printable characters including newline" do logdev = StringIO.new log = Logger.new(logdev) Rack::MockRequest.new(Rack::CommonLogger.new(app_without_lint, log)).request("GET\x1f", "/hello") logdev.string.must_match(/GET\\x1f \/hello HTTP\/1\.1/) + + Rack::MockRequest.new(Rack::CommonLogger.new(app, log)).get("/", 'REMOTE_USER' => "foo\nbar", "QUERY_STRING" => "bar\nbaz") + logdev.string[-1].must_equal "\n" + logdev.string.must_include("foo\\xabar") + logdev.string.must_include("bar\\xabaz") end it "log path with PATH_INFO" do
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-7g2v-jj9q-g3rgghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-25184ghsaADVISORY
- github.com/rack/rack/commit/074ae244430cda05c27ca91cda699709cfb3ad8eghsax_refsource_MISCWEB
- github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rgghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-25184.ymlghsaWEB
- lists.debian.org/debian-lts-announce/2025/03/msg00016.htmlghsaWEB
News mentions
0No linked articles in our index yet.