CVE-2025-27111
Published: 04 March 2025
Description
Adversaries may insert, delete, or manipulate data at rest in order to influence external outcomes or hide activity, thus threatening the integrity of the data.
Security Summary
CVE-2025-27111 is a log injection vulnerability in the Rack::Sendfile middleware of Rack, a modular Ruby web server interface. The middleware logs unsanitized values from the X-Sendfile-Type header, enabling attackers to inject escape sequences such as newline characters into server logs. This affects Rack versions prior to the fixed releases of 2.2.12, 3.0.13, and 3.1.11, and is associated with CWE-93 and CWE-117.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), making it remotely exploitable over the network with low attack complexity, no privileges, and no user interaction required. Unauthenticated attackers who can send HTTP requests to an affected Rack-based web server can include crafted payloads in the X-Sendfile-Type header, achieving log injection that compromises log integrity.
Advisories recommend upgrading to Rack 2.2.12, 3.0.13, or 3.1.11, which address the issue through commit-level fixes sanitizing the header value, as documented in GitHub commits 803aa221e8302719715e224f4476e438f2531a53, aeac570bb8080ca7b53b7f2e2f67498be7ebd30b, and b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3, along with the Rack security advisory GHSA-8cgq-6mh2-7j6v. Debian LTS distributions have also announced mitigations in their March 2025 update.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
The log injection vulnerability directly enables insertion of arbitrary data (e.g., newlines) into stored server logs, facilitating Stored Data Manipulation to compromise log integrity.