CVE-2025-32441

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.14

Description The issue affects Rack, a modular Ruby web server interface, when using the Rack::Session::Pool middleware. Simultaneous rack requests can restore a deleted rack session, allowing an unauthenticated user to occupy that session. This occurs due to race conditions over concurrent rack requests. An attacker can exploit this by triggering a long-running request within the same session adjacent to the user logging out, retaining illicit access even after a user has attempted to logout.

Recommendations For versions prior to 2.2.14, ensure the application invalidates sessions atomically by marking them as logged out, e.g., using a logged out flag, instead of deleting them, and check this flag on every request to prevent reuse. Alternatively, implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began. Update to version 2.2.14, which contains a patch for the issue.