CVE-2025-46336

CVSS v3.1

4.2

Medium

Vector

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Name of the Vulnerable Software and Affected Versions Rack::Session versions 2.0.0 through 2.1.0

Description The issue concerns the Rack::Session::Pool middleware, where simultaneous requests can restore a deleted session, allowing an unauthenticated user to occupy that session. If an attacker can acquire a session cookie and trigger a long-running request adjacent to the user logging out, they may retain illicit access even after the user has attempted to log out.

Recommendations

Update to version 2.1.1 or later.
Ensure your application invalidates sessions atomically by marking them as logged out, for example, using a logged out flag, instead of deleting them, and check this flag on every request to prevent reuse.
Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.

Exploit

Fix

DoS

Insufficient Session Expiration

Time Of Check To Time Of Use

Race Condition

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-613CWE-367CWE-362

Related Identifiers

BDU:2025-07427

CVE-2025-46336

GHSA-9J94-67JR-4CQJ

GHSA-VPFW-47H7-XJ4G

OPENSUSE-SU-2025:15623-1

OPENSUSE-SU-2026:10359-1

Affected Products

Rack::Session

Red Os

CVE-2025-46336

Weakness Enumeration

Related Identifiers

Affected Products

References · 32