CVE-2025-46336: 
Ruby vulnerability analysis and mitigation

Rack::Session is a session management implementation for Rack that contains a vulnerability affecting versions from 2.0.0 to before 2.1.1. The vulnerability was discovered and disclosed on May 8, 2025, impacting the Rack::Session::Pool middleware component. This security issue allows potential session restoration after deletion, creating a race condition vulnerability in concurrent rack requests (GitHub Advisory, NVD).

The vulnerability stems from how Rack session middleware handles session management. The middleware prepares the session at the request start and saves it back to the store with changes applied by the host rack application, creating a race condition vulnerability in concurrent rack requests. The issue has been assigned a CVSS v3.1 score of 4.2 (Moderate) with the vector string CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N. The vulnerability is associated with multiple CWE classifications including CWE-362 (Race Condition), CWE-367 (TOCTOU), and CWE-613 (Insufficient Session Expiration) (GitHub Advisory, Wiz).

If an attacker can acquire a session cookie and trigger a long-running request adjacent to a user logging out, they may be able to restore the session and retain illicit access even after the user has attempted to logout. This could lead to unauthorized access to user sessions and potential session hijacking (Wiz).

The vulnerability has been patched in version 2.1.1. Alternative mitigations include: 1) Ensuring applications invalidate sessions atomically by using a logged_out flag instead of deleting them, and checking this flag on every request to prevent reuse, 2) Implementing a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began (GitHub Advisory).