VDB
CVE-2025-46336
CVE-2025-46336
PUBLISHED
CVSS 4.199999809265137 MEDIUM
Rack::Session is a session management implementation for Rack. In versions starting from 2.0.0 to before 2.1.1, when using the Rack::Session::Pool middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout. This issue has been patched in version 2.1.1.
EPSS 0.12% · 29.8th percentile
Risk Scores
CVSS 3.1
4.199999809265137
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
EPSS Score
0.12%
29.8th percentile
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| rack | rack-session | >= 2.0.0, < 2.1.1 |
| RubyGems | rack-session | 2.0.0 |
Exploit Intelligence
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
- CIRCL seen: CVE-2025-46336 (circl-sighting)
…and 15 more exploits
Timeline
- May 8, 2025 CVE Published
- May 8, 2025 PoC Published
- May 8, 2025 PoC Published
- May 9, 2025 CVE Updated
- May 9, 2025 EPSS Score
- May 9, 2025 PoC Published
- May 9, 2025 PoC Published
- May 9, 2025 PoC Published
- May 9, 2025 PoC Published
- May 9, 2025 PoC Published
- May 9, 2025 PoC Published
- May 9, 2025 PoC Published
References
- https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj url
- https://github.com/rack/rack/security/advisories/GHSA-vpfw-47h7-xj4g url
- https://github.com/rack/rack-session/commit/c28c4a8c1861d814e09f2ae48264ac4c40be2d3b url
- https://nvd.nist.gov/vuln/detail/CVE-2025-46336 advisory
- https://github.com/rack/rack-session package
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack-session/CVE-2025-46336.yml url