Medium severity4.2OSV Advisory· Published May 8, 2025· Updated Apr 15, 2026
CVE-2025-46336
CVE-2025-46336
Description
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rack-sessionRubyGems | >= 2.0.0, < 2.1.1 | 2.1.1 |
Affected products
39- Range: v2.0.0, v2.1.0
- osv-coords38 versionspkg:apk/chainguard/logstash-8pkg:apk/chainguard/logstash-8-bitnami-compatpkg:apk/chainguard/logstash-8-compatpkg:apk/chainguard/logstash-8-env2yamlpkg:apk/chainguard/logstash-8-iamguarded-compatpkg:apk/chainguard/logstash-8-with-output-opensearchpkg:apk/chainguard/ruby3.2-rails-7.1pkg:apk/chainguard/ruby3.2-rails-7.1-compatpkg:apk/chainguard/ruby3.2-rails-7.2pkg:apk/chainguard/ruby3.2-rails-7.2-compatpkg:apk/chainguard/ruby3.2-rails-8.0pkg:apk/chainguard/ruby3.2-rails-8.0-compatpkg:apk/chainguard/ruby3.3-rails-7.1pkg:apk/chainguard/ruby3.3-rails-7.1-compatpkg:apk/chainguard/ruby3.3-rails-7.2pkg:apk/chainguard/ruby3.3-rails-7.2-compatpkg:apk/chainguard/ruby3.3-rails-8.0pkg:apk/chainguard/ruby3.3-rails-8.0-compatpkg:apk/chainguard/ruby3.4-rails-7.1pkg:apk/chainguard/ruby3.4-rails-7.1-compatpkg:apk/chainguard/ruby3.4-rails-7.2pkg:apk/chainguard/ruby3.4-rails-7.2-compatpkg:apk/chainguard/ruby3.4-rails-8.0pkg:apk/chainguard/ruby3.4-rails-8.0-compatpkg:apk/wolfi/logstash-8pkg:apk/wolfi/logstash-8-bitnami-compatpkg:apk/wolfi/logstash-8-compatpkg:apk/wolfi/logstash-8-env2yamlpkg:apk/wolfi/logstash-8-iamguarded-compatpkg:apk/wolfi/logstash-8-with-output-opensearchpkg:apk/wolfi/ruby3.2-rails-8.0pkg:apk/wolfi/ruby3.2-rails-8.0-compatpkg:apk/wolfi/ruby3.3-rails-8.0pkg:apk/wolfi/ruby3.3-rails-8.0-compatpkg:apk/wolfi/ruby3.4-rails-8.0pkg:apk/wolfi/ruby3.4-rails-8.0-compatpkg:gem/rack-sessionpkg:rpm/opensuse/rubygem-rack-session&distro=openSUSE%20Tumbleweed
< 8.18.1-r1+ 37 more
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 7.1.5.1-r7
- (no CPE)range: < 7.1.5.1-r7
- (no CPE)range: < 7.2.2.1-r7
- (no CPE)range: < 7.2.2.1-r7
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 7.1.5.1-r7
- (no CPE)range: < 7.1.5.1-r7
- (no CPE)range: < 7.2.2.1-r7
- (no CPE)range: < 7.2.2.1-r7
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 7.1.5.1-r7
- (no CPE)range: < 7.1.5.1-r7
- (no CPE)range: < 7.2.2.1-r7
- (no CPE)range: < 7.2.2.1-r7
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.18.1-r1
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: < 8.0.2-r4
- (no CPE)range: >= 2.0.0, < 2.1.1
- (no CPE)range: < 2.1.1-1.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-9j94-67jr-4cqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46336ghsaADVISORY
- github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3bnvdWEB
- github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqjnvdWEB
- github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4gnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack-session/CVE-2025-46336.ymlghsaWEB
News mentions
0No linked articles in our index yet.