4 matches found
Rack session gets restored after deletion
Summary When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Details Rack session middleware prepares the session at the beginning of request, then saves is back to the store wit...
GHSA-VPFW-47H7-XJ4G Rack session gets restored after deletion
Summary When using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Details Rack session middleware prepares the session at the beginning of request, then saves is back to the store wit...
CVE-2025-32441
Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the...
CVE-2025-32441
CVE-2025-32441 affects the Rack Ruby web server interface. Before 2.2.14, when using the Rack::Session::Pool middleware, concurrent requests can cause a deleted session to be restored, enabling an unauthenticated user to reuse that session. The exploitation scenario requires an attacker to obtain...