5.7

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-25184

GHSA ID

GHSA-7g2v-jj9q-g3rg

EPSS Score

0.51364%

CWE

CWE-93

Published

2/12/2025

Updated

2/18/2025

KEV Status

Technology

Ruby

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-25184

CVE-2025-25184: Possible Log Injection in Rack::CommonLogger

Summary

Rack::CommonLogger can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.

Details

When a user provides the authorization credentials via Rack::Auth::Basic, if success, the username will be put in env['REMOTE_USER'] and later be used by Rack::CommonLogger for logging purposes.

The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.

Impact

Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.

Mitigation

Update to the latest version of Rack.

(GitHub Advisory)

5.7

CVSS Score

4.0

Basic Information

CVE ID

CVE-2025-25184

GHSA ID

GHSA-7g2v-jj9q-g3rg

EPSS Score

0.51364%

CWE

CWE-93

Published

2/12/2025

Updated

2/18/2025

KEV Status

Technology

Ruby

Technical Details

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
rack	rubygems	< 2.2.11	2.2.11
rack	rubygems	>= 3.0, < 3.0.12	3.0.12
rack	rubygems	>= 3.1, < 3.1.10	3.1.10

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from Rack::CommonLogger's logging logic handling user-supplied usernames. The commit diff shows: 1) The FORMAT string's trailing newline was removed, 2) The regex in msg.gsub! was changed from excluding newlines (/[^[:print:]\n]/) to escaping all non-printables, and 3) A forced newline was appended after sanitization. This indicates the pre-patch log method failed to escape CRLF characters in user-controlled fields like REMOTE_USER, allowing log format manipulation. The test additions explicitly verify newline escaping in usernames, confirming this was the attack vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

## Summ*ry `R**k::*ommonLo***r` **n ** *xploit** *y *r**tin* input t**t in*lu**s n*wlin* ***r**t*rs to m*nipul*t* lo* *ntri*s. T** suppli** proo*-o*-*on**pt **monstr*t*s inj**tin* m*li*ious *ont*nt into lo*s. ## **t*ils W**n * us*r provi**s t** *u

Reasoning

T** vuln*r**ility st*ms *rom `R**k::*ommonLo***r`'s lo**in* lo*i* **n*lin* us*r-suppli** us*rn*m*s. T** *ommit *i** s*ows: *) T** *ORM*T strin*'s tr*ilin* n*wlin* w*s r*mov**, *) T** r***x in `ms*.*su*!` w*s ***n*** *rom *x*lu*in* n*wlin*s (`/[^[:pri

5.7

Basic Information

Concerned about an active attack path?

CVE-2025-25184: Possible Log Injection in Rack::CommonLogger

Summary

Details

Impact

Mitigation

5.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI