VulnerableCode Package Details - pkg:gem/rack@2.2.20

Search for packages

Vulnerability	Summary	Fixed by
VCID-9rpp-9xss-duf6 Aliases: CVE-2026-22860 GHSA-mxw3-3hh2-x2mh	Rack has a Directory Traversal via Rack:Directory ## Summary `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. ## Details In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. ## Impact Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`). ## Mitigation * Update to a patched version of Rack that correctly checks the root prefix. * Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.	2.2.22 Affected by 0 other vulnerabilities. 3.1.20 Affected by 0 other vulnerabilities. 3.2.5 Affected by 0 other vulnerabilities.
VCID-skxv-7he3-xqgc Aliases: CVE-2026-25500 GHSA-whrj-4476-wvmp	Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href ## Summary `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application. This results in a client-side XSS condition in directory listings generated by `Rack::Directory`. ## Details `Rack::Directory` renders directory entries using an HTML row template similar to: ```html <a href='%s'>%s</a> ``` The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL: ```html <a href='javascript:alert(1)'>javascript:alert(1)</a> ``` Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. ## Impact If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`. When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). ## Mitigation * Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`). * Avoid exposing user-controlled directories via `Rack::Directory`. * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes. HackerOne profile: https://hackerone.com/thesmartshadow GitHub account owner: Ali Firas (@thesmartshadow)	2.2.22 Affected by 0 other vulnerabilities. 3.1.20 Affected by 0 other vulnerabilities. 3.2.5 Affected by 0 other vulnerabilities.

Vulnerability

Summary

Fixed by

VCID-9rpp-9xss-duf6
Aliases:
CVE-2026-22860
GHSA-mxw3-3hh2-x2mh

Rack has a Directory Traversal via Rack:Directory ## Summary `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. ## Details In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also. ## Impact Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`). ## Mitigation * Update to a patched version of Rack that correctly checks the root prefix. * Don't name directories with the same prefix as one which is exposed via `Rack::Directory`.

2.2.22
Affected by 0 other vulnerabilities.

3.1.20
Affected by 0 other vulnerabilities.

3.2.5
Affected by 0 other vulnerabilities.

VCID-skxv-7he3-xqgc
Aliases:
CVE-2026-25500
GHSA-whrj-4476-wvmp

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href ## Summary `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application. This results in a client-side XSS condition in directory listings generated by `Rack::Directory`. ## Details `Rack::Directory` renders directory entries using an HTML row template similar to: ```html <a href='%s'>%s</a> ``` The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL: ```html <a href='javascript:alert(1)'>javascript:alert(1)</a> ``` Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application. ## Impact If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`. When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry). ## Mitigation * Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`). * Avoid exposing user-controlled directories via `Rack::Directory`. * Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. * Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes. HackerOne profile: https://hackerone.com/thesmartshadow GitHub account owner: Ali Firas (@thesmartshadow)

2.2.22
Affected by 0 other vulnerabilities.

3.1.20
Affected by 0 other vulnerabilities.

3.2.5
Affected by 0 other vulnerabilities.

Vulnerability	Summary	Aliases
VCID-d58r-22kr-9bct	Rack has a Possible Information Disclosure Vulnerability A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.	CVE-2025-61780 GHSA-r657-rxjc-j557
VCID-s971-gkdg-jkhc	Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.	CVE-2025-61919 GHSA-6xw4-3v39-52mm

Vulnerability

Summary

Aliases

VCID-d58r-22kr-9bct

Rack has a Possible Information Disclosure Vulnerability A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

CVE-2025-61780
GHSA-r657-rxjc-j557

VCID-s971-gkdg-jkhc

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion.

CVE-2025-61919
GHSA-6xw4-3v39-52mm

Date	Actor	Action	Vulnerability	Source	VulnerableCode Version
2026-04-12T01:42:22.777384+00:00	GitLab Importer	Affected by	VCID-9rpp-9xss-duf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2026-22860.yml	38.3.0
2026-04-12T01:42:12.968144+00:00	GitLab Importer	Affected by	VCID-skxv-7he3-xqgc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2026-25500.yml	38.3.0
2026-04-03T01:51:15.546452+00:00	GitLab Importer	Affected by	VCID-9rpp-9xss-duf6	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2026-22860.yml	38.1.0
2026-04-03T01:51:06.393674+00:00	GitLab Importer	Affected by	VCID-skxv-7he3-xqgc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2026-25500.yml	38.1.0
2026-04-01T16:06:49.492832+00:00	GHSA Importer	Fixing	VCID-s971-gkdg-jkhc	https://github.com/advisories/GHSA-6xw4-3v39-52mm	38.0.0
2026-04-01T16:06:49.460807+00:00	GHSA Importer	Fixing	VCID-d58r-22kr-9bct	https://github.com/advisories/GHSA-r657-rxjc-j557	38.0.0
2026-04-01T12:54:40.400540+00:00	GithubOSV Importer	Fixing	VCID-s971-gkdg-jkhc	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-6xw4-3v39-52mm/GHSA-6xw4-3v39-52mm.json	38.0.0
2026-04-01T12:54:32.393365+00:00	GithubOSV Importer	Fixing	VCID-d58r-22kr-9bct	https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2025/10/GHSA-r657-rxjc-j557/GHSA-r657-rxjc-j557.json	38.0.0
2026-04-01T12:52:59.310692+00:00	GitLab Importer	Fixing	VCID-d58r-22kr-9bct	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2025-61780.yml	38.0.0
2026-04-01T12:52:59.177305+00:00	GitLab Importer	Fixing	VCID-s971-gkdg-jkhc	https://gitlab.com/gitlab-org/advisories-community/-/blob/main/gem/rack/CVE-2025-61919.yml	38.0.0