CVE-2025-27111
📋 TL;DR
CVE-2025-27111 is a log injection vulnerability in Rack's Sendfile middleware that allows attackers to inject escape sequences (like newlines) via the X-Sendfile-Type header. This can corrupt log files, potentially enabling log forging or log evasion attacks. All Ruby applications using vulnerable Rack versions with Sendfile middleware enabled are affected.
💻 Affected Systems
- Rack (Ruby web server interface)
📦 What is this software?
Rack by Rack
Rack by Rack
Rack by Rack
⚠️ Risk & Real-World Impact
Worst Case
Attackers could inject malicious content into log files, enabling log forging to hide other attacks, log evasion to bypass security monitoring, or potentially execute arbitrary code if logs are processed by vulnerable parsers.
Likely Case
Log file corruption and potential log evasion attacks that could help attackers hide other malicious activities from security monitoring systems.
If Mitigated
Minimal impact if proper log sanitization and monitoring are in place, though log integrity may still be compromised.
🎯 Exploit Status
Exploitation requires sending HTTP requests with malicious X-Sendfile-Type headers. No authentication required if the application accepts external requests.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rack 2.2.12, 3.0.13, or 3.1.11
Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
Restart Required: Yes
Instructions:
1. Update Gemfile to specify rack version >= 2.2.12, 3.0.13, or 3.1.11. 2. Run 'bundle update rack'. 3. Restart the application server. 4. Verify the update with 'bundle show rack'.
🔧 Temporary Workarounds
Disable Rack::Sendfile middleware
allRemove or disable the Sendfile middleware if not required
# In config/environments/production.rb or similar
config.middleware.delete Rack::Sendfile
Input validation filter
allAdd middleware to sanitize X-Sendfile-Type header before it reaches Rack::Sendfile
# Add custom middleware before Rack::Sendfile
class SanitizeSendfileHeader
def initialize(app)
@app = app
end
def call(env)
if env['HTTP_X_SENDFILE_TYPE']
env['HTTP_X_SENDFILE_TYPE'] = env['HTTP_X_SENDFILE_TYPE'].gsub(/[\r\n]/, '')
end
@app.call(env)
end
end
# Then in config:
config.middleware.insert_before Rack::Sendfile, SanitizeSendfileHeader
🧯 If You Can't Patch
- Implement WAF rules to block requests containing newline characters in X-Sendfile-Type header
- Monitor and alert on log anomalies or unexpected log file modifications
🔍 How to Verify
Check if Vulnerable:
Check Rack version with 'bundle show rack' or 'gem list rack'. If version is below 2.2.12 (for Rack 2.x), 3.0.13 (for Rack 3.0.x), or 3.1.11 (for Rack 3.1.x), the system is vulnerable.Check Version:
bundle show rack || gem list rack | grep rackVerify Fix Applied:
After updating, verify with 'bundle show rack' that version is 2.2.12+, 3.0.13+, or 3.1.11+. Test by sending requests with newlines in X-Sendfile-Type header and checking logs for injection.📡 Detection & Monitoring
Log Indicators:
- Unexpected newlines or escape sequences in log entries
- Log entries that appear to span multiple lines incorrectly
- Malformed log file structure
Network Indicators:
- HTTP requests containing X-Sendfile-Type header with newline characters (\r, \n)
- Unusual patterns in X-Sendfile-Type header values
SIEM Query:
http.headers:X-Sendfile-Type AND (http.headers:X-Sendfile-Type:"*\n*" OR http.headers:X-Sendfile-Type:"*\r*")🔗 References
- https://github.com/rack/rack/commit/803aa221e8302719715e224f4476e438f2531a53
- https://github.com/rack/rack/commit/aeac570bb8080ca7b53b7f2e2f67498be7ebd30b
- https://github.com/rack/rack/commit/b13bc6bfc7506aca3478dc5ac1c2ec6fc53f82a3
- https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v
- https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
