Medium severity4.2NVD Advisory· Published May 8, 2025· Updated Apr 15, 2026
CVE-2025-46336
CVE-2025-46336
Description
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rack-sessionRubyGems | >= 2.0.0, < 2.1.1 | 2.1.1 |
Patches
296663ece1596c28c4a8c1861Don't allow session to be recreated accidentally.
3 files changed · +59 −1
lib/rack/session/pool.rb+7 −1 modified@@ -53,6 +53,7 @@ def find_session(req, sid) def write_session(req, session_id, new_session, options) @mutex.synchronize do + return false unless get_session_with_fallback(session_id) @pool.store session_id.private_id, new_session session_id end @@ -62,7 +63,12 @@ def delete_session(req, session_id, options) @mutex.synchronize do @pool.delete(session_id.public_id) @pool.delete(session_id.private_id) - generate_sid(use_mutex: false) unless options[:drop] + + unless options[:drop] + sid = generate_sid(use_mutex: false) + @pool.store(sid.private_id, {}) + sid + end end end
releases.md+4 −0 modified@@ -1,5 +1,9 @@ # Releases +## Unreleased + + - Prevent `Rack::Session::Pool` from recreating deleted sessions [CVE-2025-46336](https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj). + ## v2.1.0 - Improved compatibility with Ruby 3.3+ and Rack 3+.
test/spec_session_pool.rb+48 −0 modified@@ -288,4 +288,52 @@ res = Rack::MockRequest.new(app).get("/") res["Set-Cookie"].must_be_nil end + + user_id_session = Rack::Lint.new(lambda do |env| + session = env["rack.session"] + + case env["PATH_INFO"] + when "/login" + session[:user_id] = 1 + when "/logout" + if session[:user_id].nil? + raise "User not logged in" + end + + session.delete(:user_id) + session.options[:renew] = true + when "/slow" + Fiber.yield + end + + Rack::Response.new(session.inspect).to_a + end) + + it "doesn't allow session id to be reused" do + app = Rack::Session::Pool.new(user_id_session) + + login_response = Rack::MockRequest.new(app).get("/login") + login_cookie = login_response["Set-Cookie"] + + slow_request = Fiber.new do + Rack::MockRequest.new(app).get("/slow", "HTTP_COOKIE" => login_cookie) + end + slow_request.resume + + # Check that the session is valid: + response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => login_cookie) + response.body.must_equal({"user_id" => 1}.to_s) + + logout_response = Rack::MockRequest.new(app).get("/logout", "HTTP_COOKIE" => login_cookie) + logout_cookie = logout_response["Set-Cookie"] + + # Check that the session id is different after logout: + login_cookie[session_match].wont_equal logout_cookie[session_match] + + slow_response = slow_request.resume + + # Check that the cookie can't be reused: + response = Rack::MockRequest.new(app).get("/", "HTTP_COOKIE" => login_cookie) + response.body.must_equal "{}" + end end
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-9j94-67jr-4cqjghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-46336ghsaADVISORY
- github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3bnvdWEB
- github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqjnvdWEB
- github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4gnvdWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack-session/CVE-2025-46336.ymlghsaWEB
News mentions
0No linked articles in our index yet.