| Package | ruby-rack |
|---|---|
| Version | 1.6.4-4+deb9u7 (stretch), 2.0.6-3+deb10u5 (buster) |
| Related CVEs | CVE-2025-25184 CVE-2025-27111 CVE-2025-27610 |
Multiple vulnerabilities have been fixed in ruby-rack, an interface for developing web applications in Ruby.
CVE-2025-25184
Log Injection in Rack::CommonLogger
CVE-2025-27111
Log Injection in Rack::Sendfile
CVE-2025-27610
Local file inclusion in Rack::Static
For Debian 10 buster, these problems have been fixed in version 2.0.6-3+deb10u5.
For Debian 9 stretch, these problems have been fixed in version 1.6.4-4+deb9u7.
We recommend that you upgrade your ruby-rack packages.
Further information about Extended LTS security advisories can be found in the dedicated section of our website.