Fluid Attacks Database

Description

Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
rubygems	rack-session	>=2.0.0 <2.1.1	2.1.1
debian 14	ruby-rack-session	>=0 <2.1.1-0.1	2.1.1-0.1
debian 13	ruby-rack-session	>=0 <2.1.1-0.1	2.1.1-0.1
rpm rhel9	pcs	-	-
rpm rhel7	pcs	-	-
rpm rhel8	pcs	-	-

Aliases

1. CVE-2025-463362. NVD-2025-463363. OSV-2025-463364. OSV-DEBIAN-2025-463365. GHSA-9j94-67jr-4cqj6. GHSA-vpfw-47h7-xj4g7. GCVE-2025-463368. SECURITY-TRACKER-CVE-2025-46336

References

1. https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj2. https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g3. https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b4. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack-session/CVE-2025-46336.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.