VYPR
Moderate severityNVD Advisory· Published Mar 4, 2025· Updated Nov 3, 2025

Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

CVE-2025-27111

Description

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
rackRubyGems
< 2.2.122.2.12
rackRubyGems
>= 3.0, < 3.0.133.0.13
rackRubyGems
>= 3.1, < 3.1.113.1.11

Affected products

34

Patches

Vulnerability mechanics

References

8

News mentions

0

No linked articles in our index yet.