CVE-2025-27111

Publication date 4 March 2025

Last updated 25 March 2025


Ubuntu priority

Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.

Status

Package Ubuntu Release Status
ruby-rack 25.04 plucky
Vulnerable
24.10 oracular
Fixed 2.2.7-1.1ubuntu0.1
24.04 LTS noble
Fixed 2.2.7-1ubuntu0.2
22.04 LTS jammy
Fixed 2.1.4-5ubuntu1.1+esm1
20.04 LTS focal
Fixed 2.0.7-2ubuntu0.1+esm6
18.04 LTS bionic
Fixed 1.6.4-4ubuntu0.2+esm7
16.04 LTS xenial
Fixed 1.6.4-3ubuntu0.2+esm7
14.04 LTS trusty
Fixed 1.5.2-3+deb8u3ubuntu1~esm9

Get expanded security coverage with Ubuntu Pro

Reduce your average CVE exposure time from 98 days to 1 day with expanded CVE patching, ten-years security maintenance and optional support for the full stack of open-source applications. Free for personal use.

Get Ubuntu Pro