CVE CyberSecurity Database News

CVE-2025-27111 - Log Injection Vulnerability in Ruby Rack Sendfile Middleware Explained

Poster -

On February 27, 2025, CVE-2025-27111 was published affecting the popular Ruby library Rack, specifically its Rack::Sendfile middleware. This security vulnerability allows attackers to inject malicious escape sequences (like newline characters) into web server logs by manipulating HTTP header values. In this post, we'll break down what happened, how it works, and show an example exploit. We’ll also show you how to stay safe. Let's get started!

What Is Rack and Sendfile Middleware?

Rack is a foundational Ruby gem that acts as an interface between web servers and Ruby web apps—used by Ruby on Rails, Sinatra, and many others.

The Rack::Sendfile middleware's job is to detect when a server should use optimized file sending, signalled via special HTTP response headers like X-Sendfile-Type. To give developers insight into what’s happening, it logs the type from this header.

What’s the Vulnerability?

In affected Rack versions, when the X-Sendfile-Type header is included in a client's request, Rack::Sendfile would log the raw value of this header—without sanitizing it.

Attackers could supply a specially crafted header value containing newline characters or terminal escape sequences. When Rack logs this unsanitized value, it can corrupt log files, fake log entries, or hide attacker actions—this is known as Log Injection vulnerability (CWE-117).

Technical Example (Exploit)

Here’s an example Ruby web application using Rack where we will simulate the exploit.

Suppose an attacker sends this HTTP request to your app

GET /some-file HTTP/1.1
Host: victim.com
X-Sendfile-Type: X-Accel-Redirect
X-Sendfile-Type: evil_type
evil_header: bad

But with a twist: They craft the X-Sendfile-Type header like so (using URL encoding for unsafe bytes):

X-Sendfile-Type: legitimate_type%AInjected-Header: injected-value

The relevant Rack code, simplified for clarity

# Vulnerable logging in Rack::Sendfile (prior to 2.2.12/3..13/3.1.11)
logger.info "Sendfile type: #{sendfile_type_header_value}"

Since sendfile_type_header_value comes directly from the client, any injected \n or \r is inserted into the logs.

Sample log output

INFO -- : Sendfile type: legitimate_type
Injected-Header: injected-value

Now, the logs *appear* as if there was a header called Injected-Header: injected-value—confusing operators and log analysis tools. This could hide traces of attacks or even trick log monitoring tools.

Why Is This Bad?

- Hiding Attacker Actions: Malicious attackers can hide malicious requests by pushing them off the page or blending them in.
- Fake Admin Actions: Attackers can insert fake log entries to frame system administrators or cover their tracks.

How Is It Fixed?

The Rack team patched this in versions 2.2.12, 3..13, and 3.1.11. The fix was to sanitize header values before logging, stripping escape sequences and newlines.

Here’s the kind of fix added

# Fix: Remove newlines and unsafe characters before logging
clean_value = sendfile_type_header_value.gsub(/[\r\n]/, '')
logger.info "Sendfile type: #{clean_value}"

Are You Affected?

- If your application uses the Rack::Sendfile middleware (directly or via Rails/Sinatra) and logs user-supplied header values, you are likely vulnerable.

References

- CVE-2025-27111 on NVD
- Rack Security Advisory & Patch
- Official Release Notes
- CWE-117: Improper Output Neutralization for Logs

Summary

CVE-2025-27111 is a log injection flaw in the Rack::Sendfile middleware that lets attackers poison logs via malicious header values. If you use Rack in your Ruby project, update immediately to a fixed version—and always sanitize logs! This is a simple but often-forgotten security rule.

Timeline

Published on: 03/04/2025 16:15:40 UTC