CVE-2025-46336 (rack-session): Rack session gets restored after deletion
a year ago
- #rack
- #session
- #security
- Rack::Session::Pool middleware vulnerability allows session restoration after deletion.
- Unauthenticated users can occupy a session if they trigger a long-running request adjacent to logout.
- Affects versions < 2.0.0; patched in >= 2.1.1.
- Mitigation includes updating rack-session, invalidating sessions atomically, or implementing a custom session store.
- Related to a similar issue in Rack < 3 (GHSA-vpfw-47h7-xj4g).