USN-7366-1: Rack vulnerabilities
First published: Mon Mar 24 2025(Updated: )
Nhật Thái Đỗ discovered that Rack incorrectly handled certain usernames. A remote attacker could possibly use this issue to perform CRLF injection. (CVE-2025-25184) Phạm Quang Minh discovered that Rack incorrectly handled certain headers. A remote attacker could possibly use this issue to perform log injection. (CVE-2025-27111) Phạm Quang Minh discovered that Rack did not properly handle relative file paths. A remote attacker could potentially exploit this to include local files that should have been inaccessible. (CVE-2025-27610)
| Affected Software | Affected Version | How to fix |
|---|---|---|
| All of | ||
| ubuntu/ruby-rack | <2.2.7-1.1ubuntu0.1 | 2.2.7-1.1ubuntu0.1 |
| Ubuntu | =24.10 | |
| All of | ||
| ubuntu/ruby-rack | <2.2.7-1ubuntu0.2 | 2.2.7-1ubuntu0.2 |
| Ubuntu | =24.04 | |
| All of | ||
| ubuntu/ruby-rack | <2.1.4-5ubuntu1.1+esm1 | 2.1.4-5ubuntu1.1+esm1 |
| Ubuntu | =22.04 | |
| All of | ||
| ubuntu/ruby-rack | <2.0.7-2ubuntu0.1+esm6 | 2.0.7-2ubuntu0.1+esm6 |
| Ubuntu | =20.04 | |
| All of | ||
| ubuntu/ruby-rack | <1.6.4-4ubuntu0.2+esm7 | 1.6.4-4ubuntu0.2+esm7 |
| Ubuntu | =18.04 | |
| All of | ||
| ubuntu/ruby-rack | <1.6.4-3ubuntu0.2+esm7 | 1.6.4-3ubuntu0.2+esm7 |
| Ubuntu | =16.04 | |
| All of | ||
| ubuntu/ruby-rack | <1.5.2-3+deb8u3ubuntu1~esm9 | 1.5.2-3+deb8u3ubuntu1~esm9 |
| Ubuntu | =14.04 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://ubuntu.com/security/CVE-2025-27610
- https://ubuntu.com/security/CVE-2025-27111
- https://ubuntu.com/security/CVE-2025-25184
- https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1.1ubuntu0.1
- https://launchpad.net/ubuntu/+source/ruby-rack/2.2.7-1ubuntu0.2
- https://ubuntu.com/security/notices/USN-7366-1 (Advisory)
Child vulnerabilities
(Contains the following vulnerabilities)
Frequently Asked Questions
What is the severity of USN-7366-1?
The severity of USN-7366-1 is considered important due to the potential for CRLF injection by remote attackers.
How do I fix USN-7366-1?
To fix USN-7366-1, update the ruby-rack package to the versions specified in the advisory for your Ubuntu release.
What versions of ruby-rack are vulnerable according to USN-7366-1?
The vulnerable versions of ruby-rack include 2.2.7-1.1ubuntu0.1, 2.2.7-1ubuntu0.2, 2.1.4-5ubuntu1.1+esm1, 2.0.7-2ubuntu0.1+esm6, and earlier versions.
What impact does USN-7366-1 have on my system?
USN-7366-1 can potentially allow remote attackers to inject malicious payloads into the system through improperly handled usernames and headers.
Who discovered the vulnerability reported in USN-7366-1?
The vulnerability in USN-7366-1 was discovered by Nhật Thái Đỗ and Phạm Quang Minh.
- agent/weakness
- agent/last-modified-date
- agent/references
- agent/title
- agent/source
- agent/softwarecombine
- agent/type
- agent/description
- agent/first-publish-date
- agent/tags
- collector/usn
- source/Ubuntu
- agent/software-canonical-lookup
- agent/event
- package-manager/ubuntu
- vendor/ubuntu
- canonical/ubuntu
- version/ubuntu/24.10
- version/ubuntu/24.04
- version/ubuntu/22.04
- version/ubuntu/20.04
- version/ubuntu/18.04
- version/ubuntu/16.04
- version/ubuntu/14.04