Skip to content

Possible log Injection in `Rack::Sendfile`

Moderate
ioquatix published GHSA-8cgq-6mh2-7j6v Mar 4, 2025

Package

bundler rack (RubyGems)

Affected versions

< 2.2.12
>= 3.0, < 3.0.13
>= 3.1, < 3.1.11

Patched versions

2.2.12
3.0.13
3.1.11

Description

Summary

Rack::Sendfile can be exploited by crafting input that includes newline characters to manipulate log entries.

Details

The Rack::Sendfile middleware logs unsanitized header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.

Impact

This vulnerability can distort log files, obscure attack traces, and complicate security auditing.

Mitigation

  • Update to the latest version of Rack, or
  • Remove usage of Rack::Sendfile.

Severity

Moderate

CVE ID

CVE-2025-27111

Weaknesses

Improper Neutralization of CRLF Sequences ('CRLF Injection')

The product uses CRLF (carriage return line feeds) as a special element, e.g. to separate lines or records, but it does not neutralize or incorrectly neutralizes CRLF sequences from inputs. Learn more on MITRE.

Improper Output Neutralization for Logs

The product does not neutralize or incorrectly neutralizes output that is written to logs. Learn more on MITRE.

Credits