Skip to content

CHEF-28294: Fix CVE-2025-61780 - Update rack gem to >= 3.1.18#4129

Merged
jashaik merged 4 commits intomainfrom
CHEF-28294
Dec 9, 2025
Merged

CHEF-28294: Fix CVE-2025-61780 - Update rack gem to >= 3.1.18#4129
jashaik merged 4 commits intomainfrom
CHEF-28294

Conversation

@kalroy
Copy link
Collaborator

@kalroy kalroy commented Dec 4, 2025

Summary

This PR addresses CVE-2025-61780, a medium severity (CVSS 5.3) information disclosure vulnerability in the rack gem. The fix updates the rack gem version constraint in the oc-id Gemfile from > 3.0 to >= 3.1.18.

Jira Ticket

CHEF-28294 - Fix CVE-2025-61780 in rack gem version 3.1.16

This work was completed with AI assistance following Progress AI policies.

Changes Made

  • Updated src/oc-id/Gemfile line 32: Changed rack gem constraint from '> 3.0' to '>= 3.1.18'
  • Verified existing Gemfile.lock already contains compliant version (rack 3.2.3)

Vulnerability Details

  • CVE: CVE-2025-61780
  • CVSS Score: 5.3 (Medium)
  • Issue: Information disclosure in Rack::Sendfile when running behind a proxy (Nginx)
  • Affected Versions: Prior to 2.2.20, 3.1.18, and 3.2.3
  • Fix Version: >= 3.1.18 (or 3.2.3)

Testing

  • Verified Gemfile constraint update enforces minimum version requirement
  • Confirmed all Gemfile.lock files in the codebase already contain compliant rack versions:
    • oc-id: rack 3.2.3 ✓
    • chef-server-ctl: rack 3.2.3 ✓
    • oc-chef-pedant: rack 3.2.4 ✓
    • omnibus: rack 3.2.3 ✓

Related Issues

Customer: Relativity (Tier 3)

@kalroy
CHEF-28294: Fix CVE-2025-61780 - Update rack gem constraint to >= 3.1.18
2483835 
Update rack gem version constraint in oc-id Gemfile from '> 3.0' to '>= 3.1.18'
to address CVE-2025-61780 (CVSS 5.3), an information disclosure vulnerability
in Rack::Sendfile when running behind a proxy like Nginx.

The vulnerability affects rack versions prior to 2.2.20, 3.1.18, and 3.2.3.
Gemfile.lock already contains rack 3.2.3 which is compliant.
@kalroy kalroy requested review from a team as code owners December 4, 2025 15:10
@netlify
Copy link

netlify bot commented Dec 4, 2025
edited
Loading

👷 Deploy Preview for chef-server processing.

Name Link
🔨 Latest commit 4308925
🔍 Latest deploy log https://app.netlify.com/projects/chef-server/deploys/6937eaf2406d74000855471c

@kalroy kalroy added the ai-assisted Work completed with AI assistance following Progress AI policies label Dec 4, 2025
@kalroy
Update Gemfile.lock for rack >= 3.1.18 constraint
0aab83e 
- Updated rack from 3.2.3 to 3.2.4

- Regenerated using bundle lock --update=rack with Ruby 3.1.7
@jashaik
Copy link
Contributor

jashaik commented Dec 9, 2025

https://buildkite.com/chef/chef-chef-server-main-omnibus-adhoc/builds/7974

@jashaik
CHEF-28294: Update rack gem constraint to >= 3.2.4 and update all Gem…
7374e05 
…file.lock files

- Update rack constraint from >= 3.1.18 to >= 3.2.4 in src/oc-id/Gemfile
- Update rack version from 3.2.3 to 3.2.4 in all Gemfile.lock files:
  - src/oc-id/Gemfile.lock (already at 3.2.4, updated constraint in DEPENDENCIES)
  - src/chef-server-ctl/Gemfile.lock
  - omnibus/Gemfile.lock
- Ensures consistent rack version 3.2.4 across all dependencies
- Addresses CVE-2025-61780 security vulnerability

Signed-off-by: Jan Shahid Shaik <jashaik@progress.com>
@sonarqubecloud
Copy link

sonarqubecloud bot commented Dec 9, 2025

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@jashaik jashaik merged commit 0083ff3 into main Dec 9, 2025
38 of 39 checks passed
@jashaik jashaik deleted the CHEF-28294 branch December 9, 2025 09:26
@sonarqube-for-infrastructure-prod
Copy link

sonarqube-for-infrastructure-prod bot commented Dec 9, 2025

Quality Gate passed Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarQube

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jashaik jashaik jashaik approved these changes

Assignees

No one assigned

Labels

ai-assisted Work completed with AI assistance following Progress AI policies

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@kalroy @jashaik