How the CVE Works
Rack’s `Session::Pool` middleware manages user sessions by loading session data at the start of a request and saving modifications afterward. A race condition occurs when concurrent requests manipulate the same session. If a user logs out (deleting their session), a delayed attacker-controlled request can restore the session before the deletion completes. This allows session hijacking, where an attacker regains access despite the logout attempt. The issue stems from non-atomic session handling in Rack::Session::Pool, enabling time-of-check/time-of-use (TOCTOU) flaws.
DailyCVE Form
Platform: Rack
Version: <2.2.8, 3.x
Vulnerability: Session fixation
Severity: Medium
Date: 2024-03-15
What Undercode Say:
Exploitation:
- Session Acquisition: Attacker steals session cookie (e.g., via XSS).
2. Trigger Long Request:
Simulate delayed request curl -b "rack.session=ATTACKER_SESSION" http://victim.com/slow_endpoint
3. Race Logout: User logs out while attacker’s request is pending, restoring the session.
Protection:
1. Update Rack:
gem update rack
2. Atomic Invalidation:
In Rails/Sinatra session[:logged_out] = true Check this flag per request
3. Custom Session Store:
class SafeSessionStore def invalidate(session_id) @invalidations[bash] = Time.now end end
Detection:
Check Rack version gem list rack
References:
- Rack GHSA
- CVE-2024-26141
Analytics: Affects multi-threaded Rack apps (e.g., Rails, Sinatra). Patch prioritization recommended for public-facing apps.
Sources:
Reported By: github.com
Extra Source Hub:
Undercode
