Alerts This Week
Warning Icon 1 929
Alerts This Week
Warning Icon 1 929

Fedora 41: Critical Log Injection and DoS Risks in rubygem-rack 2.2.21

fedora
Calendar Grey November 13, 2025
Dist Fedora Esm H88
Update to rubygem-rack 2.2.21 addresses critical security issues including Log Injections and DoS.
Update to Rack 2.2.21

Summary

Rack provides a minimal, modular and adaptable interface for developing

web applications in Ruby. By wrapping HTTP requests and responses in

the simplest way possible, it unifies and distills the API for web

servers, web frameworks, and software in between (the so-called

middleware) into a single method call.

Update Information:

Update to Rack 2.2.21

Topics%20covered

Topics Covered

security advisory fedora DoS important log injection Rack

Change Log

* Tue Nov 4 2025 Vt Ondruch - 1:2.2.21-1 - Update to Rack 2.2.21 - CVE-2025-25184: Possible Log Injection in Rack::CommonLogger Resolves: rhbz#2345712 - CVE-2025-27111: Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection Resolves: rhbz#2349978 - CVE-2025-27610: Local File Inclusion in Rack::Static Resolves: rhbz#2351278 - CVE-2025-46727: Unbounded-Parameter DoS in Rack::QueryParser Resolves: rhbz#2364999 - CVE-2025-32441: Rack Session Reuse Vulnerability Resolves: rhbz#2365052 - CVE-2025-59830: Rack QueryParser has an unsafe default allowing params_limit bypass via semicolon-separated parameters Resolves: rhbz#2402987 - CVE-2025-61919: Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion Resolves: rhbz#2403524 - CVE-2025-61780: Improper handling of headers in `Rack::Sendfile` may allow proxy bypass Resolves: rhbz#2403529

References


[ 1 ] Bug #2164714 - CVE-2022-44571 rubygem-rack: denial of service in Content-Disposition parsing https://bugzilla.redhat.com/show_bug.cgi?id=2164714 [ 2 ] Bug #2164719 - CVE-2022-44570 rubygem-rack: denial of service in Content-Disposition parsing https://bugzilla.redhat.com/show_bug.cgi?id=2164719 [ 3 ] Bug #2164722 - CVE-2022-44572 rubygem-rack: denial of service in Content-Disposition parsing https://bugzilla.redhat.com/show_bug.cgi?id=2164722 [ 4 ] Bug #2176477 - CVE-2023-27530 rubygem-rack: Denial of service in Multipart MIME parsing https://bugzilla.redhat.com/show_bug.cgi?id=2176477 [ 5 ] Bug #2179649 - CVE-2023-27539 rubygem-rack: denial of service in header parsing https://bugzilla.redhat.com/show_bug.cgi?id=2179649 [ 6 ] Bug #2265593 - CVE-2024-25126 rubygem-rack: Denial of Service Vulnerability in Rack Content-Type Parsing https://bugzilla.redhat.com/show_bug.cgi?id=2265593 [ 7 ] Bug #2265594 - CVE-2024-26141...

Read the Full Advisory

Update Instructions

This update can be installed with the "dnf" update program. Use su -c 'dnf upgrade --advisory FEDORA-2025-a35addbf9b' at the command line. For more information, refer to the dnf documentation available at http://dnf.readthedocs.io/en/latest/command_ref.html#upgrade-command-label

Severity
important
Lowest
Low
Medium
High
Critical

Name: rubygem-rack
Product: Fedora 41
Version: 2.2.21
Release: 1.fc41
URL: https://rack.github.io/
Summary: A modular Ruby webserver interface

Topics%20covered

Topics Covered

security advisory fedora DoS important log injection Rack

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Your message here