CVE-2025-25184: Rack::CommonLogger Log Injection Vulnerability in Ruby Web Applications

Rack, a popular Ruby web application framework, has a vulnerability (CVE-2025-25184) in versions prior to 2.2.11, 3..12, and 3.1.10, which enables an attacker to inject malicious content into logs by crafting input with newline characters. This can lead to log tampering, log format breakage, or injection of fraudulent entries, thereby compromising the integrity of log files. Patches for this vulnerability have been released in versions 2.2.11, 3..12, and 3.1.10 of the framework.

Background

Rack is a widely used, low-level Ruby framework that provides a simple interface for developing web applications. Rack::CommonLogger, one of its components, is responsible for logging web server activity. An attacker can exploit this vulnerability by creating a username containing newline characters, which are then logged by Rack::CommonLogger. This can result in log tampering or injection of malicious log entries.

Exploit Details

When a user provides authorization credentials via Rack::Auth::Basic, if successful, the username will be put in env['REMOTE_USER'] and later used by Rack::CommonLogger for logging purposes. The issue arises when a server allows user creation with a username containing newline characters (CRLF) and whitespace, or the server logs all login attempts. If an attacker enters a username with CRLF characters, the logger will log the malicious username with CRLF characters into the log file, causing the aforementioned issues.

A crafted username for the attack might look like this

victim_username\r\n[Attacker] Logged in successfully\r\n[Attacker] Performed malicious actions

When this is logged by Rack::CommonLogger, it will appear as if the attacker's actions were part of the legitimate user's activity, potentially masking the attacker's actions or injecting malicious data into log files.

Original references

- GitHub Commit (2.2.x)
- GitHub Commit (3..x)
- GitHub Commit (3.1.x)

Mitigation

Developers using Rack should immediately update to versions 2.2.11, 3..12, or 3.1.10, which contain the fix for this vulnerability. Additionally, developers should ensure that their applications do not allow user creation with usernames containing newline characters and whitespace and should consider implementing strict validation and sanitization on user inputs, particularly those used for logging purposes.

Conclusion

CVE-2025-25184 is a critical vulnerability that allows attackers to manipulate log entries in Ruby web applications using the Rack framework. By crafting input containing newline characters, attackers can tamper with log files and inject malicious log entries. This can lead to log format breakage or fraudulent entries and potentially obscure real user activity. Users are urged to update to the patched versions of the framework to prevent exposure to this vulnerability.

Timeline

Published on: 02/12/2025 17:15:24 UTC
Last modified on: 02/14/2025 20:15:34 UTC