CVE-2025-46336

Name	CVE-2025-46336
Description	Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs	1104928

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
ruby-rack-session (PTS)	sid, trixie	2.1.0-1	vulnerable

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Urgency	Origin	Debian Bugs
ruby-rack-session	source	(unstable)	(unfixed)			1104928

Notes

https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
Fixed by: https://github.com/rack/rack-session/commit/c58ad7952cc7d0649f0ea9c78d55049739c49e5a (v2.1.1)