2365151 – (CVE-2025-46336) CVE-2025-46336 rack: Rack::Session Session Persistence Vulnerability

Bug 2365151 (CVE-2025-46336) - CVE-2025-46336 rack: Rack::Session Session Persistence Vulnerability

Summary: CVE-2025-46336 rack: Rack::Session Session Persistence Vulnerability

Keywords:
Status:	NEW
Alias:	CVE-2025-46336
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security DevOps Team
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2365204 2365205 2365207 2365208 2365209
Blocks:
TreeView+	depends on / blocked

Reported:	2025-05-08 20:01 UTC by OSIDB Bzimport
Modified:	2025-05-09 14:34 UTC (History)
CC List:	21 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description OSIDB Bzimport 2025-05-08 20:01:14 UTC

Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.

Note You need to log in before you can comment on or make changes to this bug.

akostadi
amasferr
anthomas
cbartlet
dmayorov
ehelms
ggainey
jcantril
jlledo
juwatts
mhulan
mkudlej
mmakovy
nmoumoul
osousa
pcreech
periklis
rchan
rojacob
smallamp
tjochec