{"id":"CVE-2019-25025","details":"The activerecord-session_store (aka Active Record Session Store) component through 1.1.3 for Ruby on Rails does not use a constant-time approach when delivering information about whether a guessed session ID is valid. Consequently, remote attackers can leverage timing discrepancies to achieve a correct guess in a relatively short amount of time. This is a related issue to CVE-2019-16782.","aliases":["GHSA-cvw2-xj8r-mjf7"],"modified":"2026-04-11T21:02:32.793719Z","published":"2021-03-05T06:15:12.690Z","related":["SUSE-SU-2021:1962-1","SUSE-SU-2021:1963-1","SUSE-SU-2021:2554-1"],"references":[{"type":"FIX","url":"https://github.com/rails/activerecord-session_store/pull/151"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/rails/activerecord-session_store","events":[{"introduced":"0"},{"last_affected":"50e81319339d847a07a67eb32d77dbbbe4636317"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"last_affected":"1.1.3"}],"cpe":"cpe:2.3:a:rubyonrails:active_record_session_store:*:*:*:*:*:ruby_on_rails:*:*","source":"CPE_FIELD"}}],"versions":["v0.0.1","v0.1.0","v0.1.1","v0.1.2","v1.0.0","v1.0.0.pre","v1.1.0","v1.1.1","v1.1.2","v1.1.3"],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2019-25025.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}