CVE-2025-27111
Published: 04 March 2025
Summary
CVE-2025-27111 is a high-severity CRLF Injection (CWE-93) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Stored Data Manipulation (T1565.001); ranked in the top 28.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Timely flaw remediation through patching Rack to versions 2.2.12, 3.0.13, or 3.1.11 directly eliminates the unsanitized logging of X-Sendfile-Type headers.
Validating and sanitizing HTTP header inputs like X-Sendfile-Type prevents injection of escape sequences into server logs.
Protecting audit information from unauthorized modification mitigates the integrity compromise from injected log entries.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The log injection vulnerability directly enables insertion of arbitrary data (e.g., newlines) into stored server logs, facilitating Stored Data Manipulation to compromise log integrity.
NVD Description
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This…
more
vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
Deeper analysisAI
CVE-2025-27111 is a log injection vulnerability in the Rack::Sendfile middleware of Rack, a modular Ruby web server interface. The middleware logs unsanitized values from the X-Sendfile-Type header, enabling attackers to inject escape sequences such as newline characters into server logs. This affects Rack versions prior to the fixed releases of 2.2.12, 3.0.13, and 3.1.11, and is associated with CWE-93 and CWE-117.
The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N), making it remotely exploitable over the network with low attack complexity, no privileges, and no user interaction required. Unauthenticated attackers who can send HTTP requests to an affected Rack-based web server can include crafted payloads in the X-Sendfile-Type header, achieving log injection that compromises log integrity.
Advisories recommend upgrading to Rack 2.2.12, 3.0.13, or 3.1.11, which address the issue through commit-level fixes sanitizing the header value, as documented in GitHub commits 803aa221e8302719715e224f4476e438f2531a53, aeac570bb8080ca7b53b7f2e2f67498be7ebd30b, and b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3, along with the Rack security advisory GHSA-8cgq-6mh2-7j6v. Debian LTS distributions have also announced mitigations in their March 2025 update.
Details
- CWE(s)