CVE-2025-27111

Published Mar 4, 2025

Last updated 2 months ago

CVSS medium 6.9

Overview

Description
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
Source
security-advisories@github.com
NVD status
Received

Risk scores

CVSS 4.0

Type
Secondary
Base score
6.9
Impact score
-
Exploitability score
-
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Severity
MEDIUM

Weaknesses

security-advisories@github.com
CWE-93

Social media

Hype score
Not currently trending

  1. Opswat , Security analysis of Rack Ruby Framework -- CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610 -- https://t.co/Kfk6bRPZWf

    @AndreGironda

    28 Apr 2025

    259 Impressions

    2 Retweets

    6 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

  2. Threat Alert: Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610) CVE-2025-27610 CVE-2025-25184 CVE-2025-27111 Severity: ⚠️ Critical Maturity: 💢 Emerging Learn more: https://t.co/fSaNyewKqd #CyberSecurity #ThreatIntel #InfoSec (1/3)

    @fletch_ai

    27 Apr 2025

    63 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    1 Reply

    0 Quotes

  3. 🔴 Tres nuevas fallas de seguridad (CVE-2025-27610, CVE-2025-27111, CVE-2025-25184) en la interfaz del servidor web Rack Ruby que, si se explotan con éxito, podrían dar acceso no autorizado a archivos, inyectar malware y alterar registros bajo ciertas condiciones. 🧉 http

    @MarquisioX

    26 Apr 2025

    27 Impressions

    0 Retweets

    1 Like

    0 Bookmarks

    0 Replies

    0 Quotes

  4. CVE-2025-27111 Log Injection Vulnerability in Rack Middleware via X-Sendfile-Type Header https://t.co/uQUEVw1uSz

    @VulmonFeeds

    4 Mar 2025

    15 Impressions

    0 Retweets

    0 Likes

    0 Bookmarks

    0 Replies

    0 Quotes

References

Sources include official advisories and independent security research.