Bug 2365151 (CVE-2025-46336) - CVE-2025-46336 rack: Rack::Session Session Persistence Vulnerability
Summary: CVE-2025-46336 rack: Rack::Session Session Persistence Vulnerability
Keywords:
Status: NEW
Alias: CVE-2025-46336
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Product Security DevOps Team
QA Contact:
URL:
Whiteboard:
Depends On: 2365204 2365205 2365207 2365208 2365209
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-05-08 20:01 UTC by OSIDB Bzimport
Modified: 2025-08-01 08:28 UTC (History)
21 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Bugzilla 2365151 0 medium NEW CVE-2025-46336 rack: Rack::Session Session Persistence Vulnerability 2025-08-01 08:28:46 UTC

Internal Links: 2364965 2365151

Description OSIDB Bzimport 2025-05-08 20:01:14 UTC 
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
Comment 3 Vít Ondruch 2025-07-10 14:00:01 UTC 
This is a bit confusing. This would be valid against rubygem-rack-session if we had it in Fedora and the versions referenced in the original description are related to rack-session, not rack. Needed to say, rubygem-rack-session is coming to Fedora, see bug 2344660
Comment 4 Vít Ondruch 2025-07-10 14:07:18 UTC 
For the rubygem-rack, there is the same issue tracked as CVE-2025-32441 bug 2364965
Note You need to log in before you can comment on or make changes to this bug.