CVE-2025-46336

NameCVE-2025-46336
DescriptionRack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1104928

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
ruby-rack-session (PTS)sid, trixie2.1.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
ruby-rack-sessionsource(unstable)(unfixed)1104928

Notes

https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj
Fixed by: https://github.com/rack/rack-session/commit/c58ad7952cc7d0649f0ea9c78d55049739c49e5a (v2.1.1)

Search for package or bug name: Reporting problems