CVE-2025-32441: 
Ruby vulnerability analysis and mitigation

Rack, a modular Ruby web server interface, contains a vulnerability in versions prior to 2.2.14 affecting the Rack::Session::Pool middleware. The vulnerability allows simultaneous rack requests to restore a deleted rack session, enabling an unauthenticated user to occupy that session. The issue was discovered and disclosed on May 7, 2025, and affects the session management functionality of the Rack framework (GitHub Advisory).

The vulnerability stems from a race condition in the Rack session middleware's handling of session data. The middleware prepares the session at the beginning of a request and saves it back to the store with possible changes applied by the host rack application. This implementation makes sessions susceptible to race conditions during concurrent rack requests. The vulnerability has been assigned a CVSS v3.1 score of 4.2 (Medium) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N, indicating network accessibility with high attack complexity and low privileges required (GitHub Advisory).

If an attacker can acquire a session cookie, they can potentially restore a deleted session by triggering a long-running request adjacent to a user's logout action. This allows the attacker to maintain illicit access to the session even after the legitimate user has attempted to logout, compromising session security and potentially leading to unauthorized access (GitHub Advisory).

The primary mitigation is to update to Rack version 2.2.14 or later. Alternative workarounds include: 1) Implementing atomic session invalidation by marking sessions as logged out using a logged_out flag instead of deleting them, and checking this flag on every request, or 2) Creating a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began (GitHub Advisory).