Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-csrd-u9cz-u7ak
Summary
Local File Inclusion in Rack::Static
## Summary

`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.

## Details

The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.

## Impact

By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.

## Mitigation

- Update to the latest version of Rack, or
- Remove usage of `Rack::Static`, or
- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.

It is likely that a CDN or similar static file server would also mitigate the issue.
Aliases
0
alias CVE-2025-27610
1
alias GHSA-7wqh-767x-r66v
Fixed_packages
0
url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie
purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u2?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3nmb-xetr-6qbg
1
vulnerability VCID-6ydb-e746-vbd8
2
vulnerability VCID-e8ab-9br9-6ybt
3
vulnerability VCID-ewfc-rx8b-jfc4
4
vulnerability VCID-gnc7-wp69-h7ag
5
vulnerability VCID-h8af-h199-qqfz
6
vulnerability VCID-hpw3-uw3x-mqgq
7
vulnerability VCID-p3dy-qbad-q3ab
8
vulnerability VCID-pydr-47y4-y3fu
9
vulnerability VCID-r1hk-cy5k-9kad
10
vulnerability VCID-tc69-2tad-43cv
11
vulnerability VCID-u1u4-7b3v-fue7
12
vulnerability VCID-uh69-24kx-xucy
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u2%3Fdistro=trixie
1
url pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
purl pkg:deb/debian/ruby-rack@2.1.4-3%2Bdeb11u3?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.1.4-3%252Bdeb11u3%3Fdistro=trixie
2
url pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
purl pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.13-1~deb12u1%3Fdistro=trixie
3
url pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie
purl pkg:deb/debian/ruby-rack@2.2.22-0%2Bdeb12u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3nmb-xetr-6qbg
1
vulnerability VCID-6ydb-e746-vbd8
2
vulnerability VCID-e8ab-9br9-6ybt
3
vulnerability VCID-ewfc-rx8b-jfc4
4
vulnerability VCID-gnc7-wp69-h7ag
5
vulnerability VCID-h8af-h199-qqfz
6
vulnerability VCID-hpw3-uw3x-mqgq
7
vulnerability VCID-p3dy-qbad-q3ab
8
vulnerability VCID-pydr-47y4-y3fu
9
vulnerability VCID-r1hk-cy5k-9kad
10
vulnerability VCID-tc69-2tad-43cv
11
vulnerability VCID-u1u4-7b3v-fue7
12
vulnerability VCID-uh69-24kx-xucy
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@2.2.22-0%252Bdeb12u1%3Fdistro=trixie
4
url pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
purl pkg:deb/debian/ruby-rack@3.1.12-1?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.12-1%3Fdistro=trixie
5
url pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie
purl pkg:deb/debian/ruby-rack@3.1.20-0%2Bdeb13u1?distro=trixie
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3nmb-xetr-6qbg
1
vulnerability VCID-6ydb-e746-vbd8
2
vulnerability VCID-e8ab-9br9-6ybt
3
vulnerability VCID-ewfc-rx8b-jfc4
4
vulnerability VCID-gnc7-wp69-h7ag
5
vulnerability VCID-h8af-h199-qqfz
6
vulnerability VCID-hpw3-uw3x-mqgq
7
vulnerability VCID-p3dy-qbad-q3ab
8
vulnerability VCID-pydr-47y4-y3fu
9
vulnerability VCID-r1hk-cy5k-9kad
10
vulnerability VCID-tc69-2tad-43cv
11
vulnerability VCID-u1u4-7b3v-fue7
12
vulnerability VCID-uh69-24kx-xucy
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.1.20-0%252Bdeb13u1%3Fdistro=trixie
6
url pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
purl pkg:deb/debian/ruby-rack@3.2.6-2?distro=trixie
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:deb/debian/ruby-rack@3.2.6-2%3Fdistro=trixie
7
url pkg:gem/rack@2.2.13
purl pkg:gem/rack@2.2.13
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-amfu-8d25-juhy
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-dss4-6ptr-83av
5
vulnerability VCID-e11g-k7zm-vkhu
6
vulnerability VCID-k8fr-zuyx-yyhg
7
vulnerability VCID-x373-rhh4-7khm
8
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.13
8
url pkg:gem/rack@3.0.14
purl pkg:gem/rack@3.0.14
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-x373-rhh4-7khm
7
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.14
9
url pkg:gem/rack@3.1.12
purl pkg:gem/rack@3.1.12
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-7cef-z5qm-afd8
2
vulnerability VCID-bj83-rx84-v3g9
3
vulnerability VCID-dss4-6ptr-83av
4
vulnerability VCID-e11g-k7zm-vkhu
5
vulnerability VCID-k8fr-zuyx-yyhg
6
vulnerability VCID-x373-rhh4-7khm
7
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.12
Affected_packages
0
url pkg:gem/rack@2.3
purl pkg:gem/rack@2.3
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-3nmb-xetr-6qbg
2
vulnerability VCID-6ydb-e746-vbd8
3
vulnerability VCID-bj83-rx84-v3g9
4
vulnerability VCID-csrd-u9cz-u7ak
5
vulnerability VCID-dss4-6ptr-83av
6
vulnerability VCID-e11g-k7zm-vkhu
7
vulnerability VCID-e8ab-9br9-6ybt
8
vulnerability VCID-ewfc-rx8b-jfc4
9
vulnerability VCID-h8af-h199-qqfz
10
vulnerability VCID-k8fr-zuyx-yyhg
11
vulnerability VCID-p1cf-naeh-bbgx
12
vulnerability VCID-p3dy-qbad-q3ab
13
vulnerability VCID-r1hk-cy5k-9kad
14
vulnerability VCID-tc69-2tad-43cv
15
vulnerability VCID-uh69-24kx-xucy
16
vulnerability VCID-vk15-7qdb-xkh9
17
vulnerability VCID-x373-rhh4-7khm
18
vulnerability VCID-xpa3-1n87-8ucv
19
vulnerability VCID-y6nj-8y3j-hbfw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.3
1
url pkg:gem/rack@3.0
purl pkg:gem/rack@3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-csrd-u9cz-u7ak
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-p1cf-naeh-bbgx
4
vulnerability VCID-vk15-7qdb-xkh9
5
vulnerability VCID-y6nj-8y3j-hbfw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0
2
url pkg:gem/rack@3.1
purl pkg:gem/rack@3.1
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-csrd-u9cz-u7ak
1
vulnerability VCID-dss4-6ptr-83av
2
vulnerability VCID-k8fr-zuyx-yyhg
3
vulnerability VCID-p1cf-naeh-bbgx
4
vulnerability VCID-vk15-7qdb-xkh9
5
vulnerability VCID-xpa3-1n87-8ucv
6
vulnerability VCID-y6nj-8y3j-hbfw
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1
3
url pkg:rpm/redhat/rubygem-rack@2.2.13-1?arch=el8sat
purl pkg:rpm/redhat/rubygem-rack@2.2.13-1?arch=el8sat
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-csrd-u9cz-u7ak
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rubygem-rack@2.2.13-1%3Farch=el8sat
4
url pkg:rpm/redhat/rubygem-rack@2.2.13-1?arch=el9sat
purl pkg:rpm/redhat/rubygem-rack@2.2.13-1?arch=el9sat
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-csrd-u9cz-u7ak
resource_url http://public2.vulnerablecode.io/packages/pkg:rpm/redhat/rubygem-rack@2.2.13-1%3Farch=el9sat
References
0
reference_url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2025-27610.json
1
reference_url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
url https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml
2
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack
3
reference_url https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583
4
reference_url https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3
scoring_elements
1
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
2
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
5
reference_url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
reference_id
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
6
reference_url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444
reference_id 1100444
reference_type
scores
url https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1100444
7
reference_url https://bugzilla.redhat.com/show_bug.cgi?id=2351231
reference_id 2351231
reference_type
scores
url https://bugzilla.redhat.com/show_bug.cgi?id=2351231
8
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-27610
reference_id CVE-2025-27610
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://nvd.nist.gov/vuln/detail/CVE-2025-27610
9
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml
reference_id CVE-2025-27610.YML
reference_type
scores
0
value 7.5
scoring_system cvssv3.1
scoring_elements CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
1
value HIGH
scoring_system generic_textual
scoring_elements
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml
10
reference_url https://github.com/advisories/GHSA-7wqh-767x-r66v
reference_id GHSA-7wqh-767x-r66v
reference_type
scores
url https://github.com/advisories/GHSA-7wqh-767x-r66v
11
reference_url https://access.redhat.com/errata/RHSA-2025:3448
reference_id RHSA-2025:3448
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3448
12
reference_url https://access.redhat.com/errata/RHSA-2025:3490
reference_id RHSA-2025:3490
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3490
13
reference_url https://access.redhat.com/errata/RHSA-2025:3491
reference_id RHSA-2025:3491
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3491
14
reference_url https://access.redhat.com/errata/RHSA-2025:3492
reference_id RHSA-2025:3492
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3492
15
reference_url https://access.redhat.com/errata/RHSA-2025:3906
reference_id RHSA-2025:3906
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:3906
16
reference_url https://access.redhat.com/errata/RHSA-2025:4576
reference_id RHSA-2025:4576
reference_type
scores
url https://access.redhat.com/errata/RHSA-2025:4576
Weaknesses
0
cwe_id 23
name Relative Path Traversal
description The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as .. that can resolve to a location that is outside of that directory.
1
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
2
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_score7.0 - 8.9
Exploitability0.5
Weighted_severity8.0
Risk_score4.0
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-csrd-u9cz-u7ak