The SentinelOne Annual Threat Report - A Defenders Guide from the FrontlinesThe SentinelOne Annual Threat ReportGet the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI for Security
      Leading the Way in AI-Powered Security Solutions
    • Securing AI
      Accelerate AI Adoption with Secure AI Tools, Apps, and Agents.
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly Ingest Data from On-Prem, Cloud or Hybrid Environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    • Singularity Identity
      Identity Threat Detection and Response
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-Powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Securing AI
    • Prompt Security
      Secure AI Tools Across Your Enterprise
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-Class Expertise and Threat Intelligence
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      DFIR, Breach Readiness, & Compromise Assessments
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive Solutions for Seamless Security Operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • SentinelOne for Google Cloud
      Unified, Autonomous Security Giving Defenders the Advantage at Global Scale
    • Partner Locator
      Your Go-to Source for Our Top Partners in Your Region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-25184

CVE-2025-25184: Rack Log Injection Vulnerability

CVE-2025-25184 is a log injection vulnerability in Rack for Ruby that allows attackers to manipulate log entries using crafted usernames with newline characters. This article covers technical details, affected versions, and fixes.

Updated: January 22, 2026

CVE-2025-25184 Overview

CVE-2025-25184 is a log injection vulnerability affecting Rack, a modular Ruby web server interface that powers many Ruby web applications and frameworks. The vulnerability exists in Rack::CommonLogger and can be exploited by attackers who craft usernames containing newline (CRLF) characters to manipulate log entries.

When authentication is performed via Rack::Auth::Basic, successful authentication stores the username in env['REMOTE_USER'], which is subsequently used by Rack::CommonLogger for logging purposes. If a server allows user creation with usernames containing CRLF and whitespace characters, or if the server logs all login attempts (including failures), an attacker can inject malicious content into log files by using a specially crafted username with CRLF characters.

Critical Impact

Attackers can break log formats, insert fraudulent log entries, potentially obscure real malicious activity, or inject malicious data into log files used for security monitoring and forensic analysis.

Affected Products

  • Rack versions prior to 2.2.11
  • Rack versions 3.0.x prior to 3.0.12
  • Rack versions 3.1.x prior to 3.1.10

Discovery Timeline

  • 2025-02-12 - CVE-2025-25184 published to NVD
  • 2025-11-03 - Last updated in NVD database

Technical Details for CVE-2025-25184

Vulnerability Analysis

This vulnerability is classified under CWE-93 (Improper Neutralization of CRLF Sequences), commonly known as CRLF Injection or HTTP Response Splitting. The root issue stems from insufficient input validation in the logging mechanism of Rack::CommonLogger.

The attack is network-accessible and requires low privileges to execute—specifically, an attacker needs the ability to authenticate or attempt authentication against the target application. No user interaction is required, making this vulnerability exploitable in automated attack scenarios.

The integrity impact is significant as attackers can corrupt log data integrity, potentially hiding evidence of malicious activity or injecting false evidence. While confidentiality and availability are not directly impacted, the ability to manipulate logs undermines security monitoring, incident response, and forensic investigations.

Root Cause

The vulnerability occurs because Rack::CommonLogger does not sanitize or validate the username stored in env['REMOTE_USER'] before writing it to log files. When usernames containing CRLF characters (\r\n) are logged, these control characters are interpreted literally by the logging system, causing unintended line breaks in log output.

This allows attackers to:

  • Terminate the current log line prematurely
  • Insert entirely new, fabricated log entries
  • Break log parsing tools and SIEM integrations
  • Obfuscate malicious activity within log files

Attack Vector

The attack requires network access and the ability to provide authentication credentials to the target application. An attacker creates or uses a username containing CRLF sequences such as attacker\r\n127.0.0.1 - admin [timestamp] "GET /admin HTTP/1.1" 200 to inject fake log entries.

When this malicious username is processed by Rack::Auth::Basic and subsequently logged by Rack::CommonLogger, the CRLF characters cause a line break in the log file, and everything following becomes a new, attacker-controlled log entry. This technique can be used to create fake entries that appear to show legitimate administrative access, masking actual unauthorized activities.

Detection Methods for CVE-2025-25184

Indicators of Compromise

  • Log entries containing unexpected line breaks or formatting anomalies
  • Usernames in authentication logs containing control characters or unusual whitespace patterns
  • Log file corruption or parsing errors in SIEM tools processing application logs
  • Discrepancies between application authentication logs and access control logs

Detection Strategies

  • Implement log integrity monitoring to detect unexpected formatting changes or injected entries
  • Configure SIEM rules to alert on usernames containing CRLF sequences, null bytes, or other control characters
  • Monitor for authentication attempts using usernames with unusual character patterns or excessive length
  • Deploy file integrity monitoring on critical log files to detect unauthorized modifications

Monitoring Recommendations

  • Enable verbose logging for authentication events and cross-reference with network access logs
  • Implement real-time log analysis to detect formatting anomalies as they occur
  • Establish baseline patterns for normal log entries and alert on deviations
  • Review user account creation processes to identify accounts with suspicious username characters

How to Mitigate CVE-2025-25184

Immediate Actions Required

  • Upgrade Rack to patched versions: 2.2.11, 3.0.12, or 3.1.10 immediately
  • Audit existing user accounts for usernames containing CRLF or other control characters
  • Implement input validation at user creation to reject usernames with control characters
  • Review existing log files for signs of exploitation or log injection attacks

Patch Information

The Rack development team has released security patches in versions 2.2.11, 3.0.12, and 3.1.10. The fix involves proper sanitization of username data before it is written to log files. The patch commit is available at the GitHub Commit Update. Additional details are provided in the GitHub Security Advisory. Debian users should also refer to the Debian LTS Announcement for distribution-specific guidance.

Workarounds

  • Implement input validation at the application level to reject or sanitize usernames containing CRLF, null bytes, and other control characters before authentication processing
  • Configure web application firewalls to block authentication requests containing control characters in credential fields
  • Deploy a custom middleware before Rack::CommonLogger to sanitize env['REMOTE_USER'] by stripping or encoding control characters
  • Consider using structured logging formats (JSON) that properly escape special characters
bash
# Gemfile configuration to update Rack
# Update your Gemfile to specify minimum patched version
gem 'rack', '>= 2.2.11' # For Rack 2.x users
# OR
gem 'rack', '>= 3.0.12' # For Rack 3.0.x users
# OR
gem 'rack', '>= 3.1.10' # For Rack 3.1.x users

# Then run bundle update
bundle update rack

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeOther
  • Vendor/TechRack
  • SeverityMEDIUM
  • CVSS Score5.7
  • EPSS Probability1.03%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityNone
  • CWE References
  • CWE-93
  • Technical References
  • Debian LTS Announcement
  • Vendor Resources
  • GitHub Commit Update
  • GitHub Security Advisory
  • Related CVEs
  • CVE-2026-32762: Rack Header Parsing Vulnerability
  • CVE-2026-26962: Rack Header Injection Vulnerability
  • CVE-2026-26961: Rack Multipart Smuggling Vulnerability
  • CVE-2025-27111: Rack Log Injection Vulnerability
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use

English