CVE-2025-32441

NameCVE-2025-32441
DescriptionRack is a modular Ruby web server interface. Prior to version 2.2.14, ...
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-4357-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack (PTS)bullseye2.1.4-3+deb11u2vulnerable
bullseye (security)2.1.4-3+deb11u5fixed
bookworm2.2.20-0+deb12u1fixed
bookworm (security)2.2.22-0+deb12u1fixed
trixie3.1.18-1~deb13u1fixed
trixie (security)3.1.20-0+deb13u1fixed
forky, sid3.2.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-racksourcebullseye2.1.4-3+deb11u4DLA-4357-1
ruby-racksourcebookworm2.2.20-0+deb12u1
ruby-racksource(unstable)3.0.8-2

Notes

https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g
Fixed by: https://github.com/rack/rack/commit/c48e52f7c57e99e1e1bf54c8760d4f082cd1c89d (2.2.14)
Related code was moved to rack-session in 3.0.0.beta1 and thus mark 3.0.8-2 as the first
version in unstable addressing the issue. The ruby-rack-session issue has a own CVE (CVE-2025-46336)
Search for package or bug name: Reporting problems