| 0 |
| url |
VCID-35e6-cpn8-w7h1 |
| vulnerability_id |
VCID-35e6-cpn8-w7h1 |
| summary |
Symlink path traversal in Rack::File
Affected versions allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals." |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0262 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79409 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79377 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79359 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79345 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79329 |
| published_at |
2026-04-01T12:55:00Z |
|
| 5 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79335 |
| published_at |
2026-04-02T12:55:00Z |
|
| 6 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79388 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79403 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.7938 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.01256 |
| scoring_system |
epss |
| scoring_elements |
0.79371 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0262 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.5 |
| purl |
pkg:gem/rack@1.4.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 1 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.5 |
|
| 1 |
| url |
pkg:gem/rack@1.5.0.beta.1 |
| purl |
pkg:gem/rack@1.5.0.beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-9uh8-upzm-7bgd |
|
| 9 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 10 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 11 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 12 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 13 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 14 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 15 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 16 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 29 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.0.beta.1 |
|
| 2 |
| url |
pkg:gem/rack@1.5.2 |
| purl |
pkg:gem/rack@1.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 1 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 2 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.2 |
|
|
| aliases |
CVE-2013-0262, GHSA-85r7-w5mv-c849, OSV-89938
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-35e6-cpn8-w7h1 |
|
| 1 |
| url |
VCID-3ycr-9smk-uqdc |
| vulnerability_id |
VCID-3ycr-9smk-uqdc |
| summary |
Potential Denial of Service Vulnerability
Carefully crafted requests can cause a `SystemStackError` and potentially cause a denial of service attack. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2015-3225 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93218 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93251 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93234 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93232 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93235 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93231 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93227 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93207 |
| published_at |
2026-04-01T12:55:00Z |
|
| 8 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.93216 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.10456 |
| scoring_system |
epss |
| scoring_elements |
0.9322 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2015-3225 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.6 |
| purl |
pkg:gem/rack@1.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 16 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 17 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 18 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 19 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 20 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 21 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 22 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 23 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 24 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 25 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.6 |
|
| 1 |
| url |
pkg:gem/rack@1.5.0.beta.1 |
| purl |
pkg:gem/rack@1.5.0.beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-9uh8-upzm-7bgd |
|
| 9 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 10 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 11 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 12 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 13 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 14 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 15 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 16 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 29 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.0.beta.1 |
|
| 2 |
| url |
pkg:gem/rack@1.5.4 |
| purl |
pkg:gem/rack@1.5.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 26 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.4 |
|
| 3 |
| url |
pkg:gem/rack@1.6.0.beta |
| purl |
pkg:gem/rack@1.6.0.beta |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 1 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 2 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.0.beta |
|
| 4 |
| url |
pkg:gem/rack@1.6.2 |
| purl |
pkg:gem/rack@1.6.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-9xy8-h3y1-mubv |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.2 |
|
|
| aliases |
CVE-2015-3225, GHSA-rgr4-9jh5-j4j6
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-3ycr-9smk-uqdc |
|
| 2 |
| url |
VCID-47ja-djzb-2bbw |
| vulnerability_id |
VCID-47ja-djzb-2bbw |
| summary |
Rack has an Unbounded-Parameter DoS in Rack::QueryParser
## Summary
`Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters.
## Details
The vulnerability arises because `Rack::QueryParser` iterates over each `&`-separated key-value pair and adds it to a Hash without enforcing an upper bound on the total number of parameters. This allows an attacker to send a single request containing hundreds of thousands (or more) of parameters, which consumes excessive memory and CPU during parsing.
## Impact
An attacker can trigger denial of service by sending specifically crafted HTTP requests, which can cause memory exhaustion or pin CPU resources, stalling or crashing the Rack server. This results in full service disruption until the affected worker is restarted.
## Mitigation
- Update to a version of Rack that limits the number of parameters parsed, or
- Use middleware to enforce a maximum query string size or parameter count, or
- Employ a reverse proxy (such as Nginx) to limit request sizes and reject oversized query strings or bodies.
Limiting request body sizes and query string lengths at the web server or CDN level is an effective mitigation. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-46727 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74239 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74202 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74209 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74227 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74205 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.7419 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74157 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74185 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00808 |
| scoring_system |
epss |
| scoring_elements |
0.74158 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-46727 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-46727, GHSA-gjh7-p2fx-99vx
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-47ja-djzb-2bbw |
|
| 3 |
| url |
VCID-7p12-ejdu-uqgy |
| vulnerability_id |
VCID-7p12-ejdu-uqgy |
| summary |
Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
## Summary
`Rack::Sendfile` can be exploited by crafting input that includes newline characters to manipulate log entries.
## Details
The `Rack::Sendfile` middleware logs unsanitized header values from the `X-Sendfile-Type` header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection.
## Impact
This vulnerability can distort log files, obscure attack traces, and complicate security auditing.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Sendfile`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27111 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62431 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62429 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62462 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62516 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.62496 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00429 |
| scoring_system |
epss |
| scoring_elements |
0.6248 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00575 |
| scoring_system |
epss |
| scoring_elements |
0.68747 |
| published_at |
2026-04-13T12:55:00Z |
|
| 7 |
| value |
0.00604 |
| scoring_system |
epss |
| scoring_elements |
0.6959 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00668 |
| scoring_system |
epss |
| scoring_elements |
0.7132 |
| published_at |
2026-04-16T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27111 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 1 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N |
|
| 2 |
| value |
6.9 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
|
| 3 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 4 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2025-03-04T15:44:28Z/ |
|
|
| url |
https://github.com/rack/rack/security/advisories/GHSA-8cgq-6mh2-7j6v |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.12 |
| purl |
pkg:gem/rack@2.2.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 11 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.12 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
| url |
pkg:gem/rack@3.0.13 |
| purl |
pkg:gem/rack@3.0.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 7 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 8 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 9 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.13 |
|
| 3 |
| url |
pkg:gem/rack@3.1.11 |
| purl |
pkg:gem/rack@3.1.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 7 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 8 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 9 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.11 |
|
|
| aliases |
CVE-2025-27111, GHSA-8cgq-6mh2-7j6v
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7p12-ejdu-uqgy |
|
| 4 |
| url |
VCID-7wvj-9h3p-23am |
| vulnerability_id |
VCID-7wvj-9h3p-23am |
| summary |
ReDoS Vulnerability in Rack::Multipart handle_mime_head
### Summary
There is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571.
### Details
Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted.
### Credits
Thanks to [scyoon](https://hackerone.com/scyoon) for reporting this to the Rails security team |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-49007 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.686 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.6851 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68528 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68507 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68558 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68576 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.68602 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.6859 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00569 |
| scoring_system |
epss |
| scoring_elements |
0.6856 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-49007 |
|
| 2 |
|
| 3 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.6 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:U |
|
| 1 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-49007, GHSA-47m2-26rw-j2jw
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7wvj-9h3p-23am |
|
| 5 |
| url |
VCID-7zgg-tvu3-r7gt |
| vulnerability_id |
VCID-7zgg-tvu3-r7gt |
| summary |
Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)
### Summary
```ruby
module Rack
class MediaType
SPLIT_PATTERN = %r{\s*[;,]\s*}
```
The above regexp is subject to ReDos. 50K blank characters as a prefix to the header will take over 10s to split.
### PoC
A simple HTTP request with lots of blank characters in the content-type header:
```ruby
request["Content-Type"] = (" " * 50_000) + "a,"
```
### Impact
It's a very easy to craft ReDoS. Like all ReDoS the impact is debatable. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-25126 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58929 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58895 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58915 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00371 |
| scoring_system |
epss |
| scoring_elements |
0.58932 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.0045 |
| scoring_system |
epss |
| scoring_elements |
0.63673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.0045 |
| scoring_system |
epss |
| scoring_elements |
0.63621 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.0045 |
| scoring_system |
epss |
| scoring_elements |
0.63689 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00463 |
| scoring_system |
epss |
| scoring_elements |
0.64281 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00463 |
| scoring_system |
epss |
| scoring_elements |
0.64253 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-25126 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 12 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 13 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 1 |
| url |
pkg:gem/rack@3.0.9.1 |
| purl |
pkg:gem/rack@3.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1 |
|
|
| aliases |
CVE-2024-25126, GHSA-22f2-v57c-j9cx
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-7zgg-tvu3-r7gt |
|
| 6 |
| url |
VCID-8zkw-y3yd-yuft |
| vulnerability_id |
VCID-8zkw-y3yd-yuft |
| summary |
Directory traversal in Rack::Directory app bundled with Rack
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8161 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75797 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75759 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75765 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75784 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.7576 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75749 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75735 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75705 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75703 |
| published_at |
2026-04-01T12:55:00Z |
|
| 9 |
| value |
0.00907 |
| scoring_system |
epss |
| scoring_elements |
0.75715 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8161 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.1.3 |
| purl |
pkg:gem/rack@2.1.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.3 |
|
| 1 |
| url |
pkg:gem/rack@2.2.0 |
| purl |
pkg:gem/rack@2.2.0 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 16 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 17 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 18 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 19 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 20 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 21 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 22 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 23 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 24 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.0 |
|
|
| aliases |
CVE-2020-8161, GHSA-5f9h-9pjv-v6j7
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-8zkw-y3yd-yuft |
|
| 7 |
| url |
VCID-91xe-ev7t-akb9 |
| vulnerability_id |
VCID-91xe-ev7t-akb9 |
| summary |
Uncontrolled Resource Consumption
lib/rack/multipart.rb in Rack uses an incorrect regular expression, which allows remote attackers to cause a denial of service (infinite loop) via a crafted Content-Disposion header. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2012-6109 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74497 |
| published_at |
2026-04-13T12:55:00Z |
|
| 1 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.7445 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74535 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74454 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74506 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74524 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74503 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74487 |
| published_at |
2026-04-08T12:55:00Z |
|
| 8 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.74455 |
| published_at |
2026-04-07T12:55:00Z |
|
| 9 |
| value |
0.00828 |
| scoring_system |
epss |
| scoring_elements |
0.7448 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2012-6109 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.2 |
| purl |
pkg:gem/rack@1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-9uh8-upzm-7bgd |
|
| 9 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 10 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 11 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 12 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 13 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 14 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 15 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 16 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 17 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 20 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 21 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 22 |
| vulnerability |
VCID-teq8-nqhf-xbbq |
|
| 23 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 24 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 25 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 26 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 27 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 28 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 29 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 30 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 31 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.2 |
|
|
| aliases |
CVE-2012-6109, GHSA-h77x-m5q8-c29h, OSV-89317
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-91xe-ev7t-akb9 |
|
| 8 |
| url |
VCID-9rpp-9xss-duf6 |
| vulnerability_id |
VCID-9rpp-9xss-duf6 |
| summary |
Rack has a Directory Traversal via Rack:Directory
## Summary
`Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
## Details
In `directory.rb`, `File.expand_path(File.join(root, path_info)).start_with?(root)` does not enforce a path boundary. If the server root is `/var/www/root`, a path like `/var/www/root_backup` passes the check because it shares the same prefix, so `Rack::Directory` will list that directory also.
## Impact
Information disclosure via directory listing outside the configured root when `Rack::Directory` is exposed to untrusted clients and a directory shares the root prefix (e.g., `public2`, `www_backup`).
## Mitigation
* Update to a patched version of Rack that correctly checks the root prefix.
* Don't name directories with the same prefix as one which is exposed via `Rack::Directory`. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-22860 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.2772 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27712 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27769 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27811 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27762 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27695 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27903 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27862 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.001 |
| scoring_system |
epss |
| scoring_elements |
0.27805 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-22860 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-22860, GHSA-mxw3-3hh2-x2mh
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9rpp-9xss-duf6 |
|
| 9 |
| url |
VCID-9uh8-upzm-7bgd |
| vulnerability_id |
VCID-9uh8-upzm-7bgd |
| summary |
Uncontrolled Resource Consumption
Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack allows remote attackers to cause a denial of service via unknown vectors related to "symbolized arbitrary strings." |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0184 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.7146 |
| published_at |
2026-04-07T12:55:00Z |
|
| 1 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71547 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71501 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71519 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.715 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71535 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71463 |
| published_at |
2026-04-01T12:55:00Z |
|
| 7 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71512 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.7147 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.00677 |
| scoring_system |
epss |
| scoring_elements |
0.71487 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0184 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.4 |
| purl |
pkg:gem/rack@1.4.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 29 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.4 |
|
| 1 |
| url |
pkg:gem/rack@1.5.0.beta.1 |
| purl |
pkg:gem/rack@1.5.0.beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-9uh8-upzm-7bgd |
|
| 9 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 10 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 11 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 12 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 13 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 14 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 15 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 16 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 29 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.0.beta.1 |
|
|
| aliases |
CVE-2013-0184, GHSA-v882-ccj6-jc48, OSV-89327
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-9uh8-upzm-7bgd |
|
| 10 |
| url |
VCID-arac-j5h5-zkcu |
| vulnerability_id |
VCID-arac-j5h5-zkcu |
| summary |
Rack has possible DoS Vulnerability with Range Header
# Possible DoS Vulnerability with Range Header in Rack
There is a possible DoS vulnerability relating to the Range request header in
Rack. This vulnerability has been assigned the CVE identifier CVE-2024-26141.
Versions Affected: >= 1.3.0.
Not affected: < 1.3.0
Fixed Versions: 3.0.9.1, 2.2.8.1
Impact
------
Carefully crafted Range headers can cause a server to respond with an
unexpectedly large response. Responding with such large responses could lead
to a denial of service issue.
Vulnerable applications will use the `Rack::File` middleware or the
`Rack::Utils.byte_ranges` methods (this includes Rails applications).
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 3-0-range.patch - Patch for 3.0 series
* 2-2-range.patch - Patch for 2.2 series
Credits
-------
Thank you [ooooooo_q](https://hackerone.com/ooooooo_q) for the report and
patch |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26141 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.59349 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.59316 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.59334 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00378 |
| scoring_system |
epss |
| scoring_elements |
0.5935 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00399 |
| scoring_system |
epss |
| scoring_elements |
0.60593 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.00399 |
| scoring_system |
epss |
| scoring_elements |
0.60657 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00399 |
| scoring_system |
epss |
| scoring_elements |
0.60642 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.0041 |
| scoring_system |
epss |
| scoring_elements |
0.61296 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.0041 |
| scoring_system |
epss |
| scoring_elements |
0.61325 |
| published_at |
2026-04-04T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26141 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 12 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 13 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 1 |
| url |
pkg:gem/rack@3.0.9.1 |
| purl |
pkg:gem/rack@3.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1 |
|
|
| aliases |
CVE-2024-26141, GHSA-xj5v-6v4g-jfw6
|
| risk_score |
2.6 |
| exploitability |
0.5 |
| weighted_severity |
5.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-arac-j5h5-zkcu |
|
| 11 |
| url |
VCID-azu5-jcmd-3ufx |
| vulnerability_id |
VCID-azu5-jcmd-3ufx |
| summary |
Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhaust memory and cause a denial of service (DoS). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61772 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41281 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41238 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41251 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41283 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41261 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41203 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41278 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41249 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00193 |
| scoring_system |
epss |
| scoring_elements |
0.41253 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61772 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61772, GHSA-wpv5-97wm-hp9c
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-azu5-jcmd-3ufx |
|
| 12 |
| url |
VCID-c21j-snf1-d3cb |
| vulnerability_id |
VCID-c21j-snf1-d3cb |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44572 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00262 |
| scoring_system |
epss |
| scoring_elements |
0.4954 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00262 |
| scoring_system |
epss |
| scoring_elements |
0.49513 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50985 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50986 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50964 |
| published_at |
2026-04-12T12:55:00Z |
|
| 5 |
| value |
0.00275 |
| scoring_system |
epss |
| scoring_elements |
0.50948 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53138 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53184 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00298 |
| scoring_system |
epss |
| scoring_elements |
0.53192 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44572 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.5 |
| purl |
pkg:gem/rack@2.2.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.5 |
|
| 3 |
| url |
pkg:gem/rack@2.2.6.1 |
| purl |
pkg:gem/rack@2.2.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1 |
|
| 4 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44572, GHSA-rqv2-275x-2jq5, GMS-2023-66
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c21j-snf1-d3cb |
|
| 13 |
| url |
VCID-c5sc-7qnn-mkb9 |
| vulnerability_id |
VCID-c5sc-7qnn-mkb9 |
| summary |
Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
`Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, potentially leading to out-of-memory (OOM) conditions and denial of service (DoS). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61771 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.26999 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.2699 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27047 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27091 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27087 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27042 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.26973 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27182 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00098 |
| scoring_system |
epss |
| scoring_elements |
0.27146 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61771 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61771, GHSA-w9pc-fmgc-vxvw
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-c5sc-7qnn-mkb9 |
|
| 14 |
| url |
VCID-d58r-22kr-9bct |
| vulnerability_id |
VCID-d58r-22kr-9bct |
| summary |
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61780 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10267 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10396 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10418 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10462 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10434 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10294 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10394 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10328 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00035 |
| scoring_system |
epss |
| scoring_elements |
0.10368 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61780 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61780, GHSA-r657-rxjc-j557
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-d58r-22kr-9bct |
|
| 15 |
| url |
VCID-fpg2-nhey-rkcc |
| vulnerability_id |
VCID-fpg2-nhey-rkcc |
| summary |
Rack has possible DoS Vulnerability in Multipart MIME parsing
There is a possible DoS vulnerability in the Multipart MIME parsing code in Rack. This vulnerability has been assigned the CVE identifier CVE-2023-27530.
Versions Affected: All. Not affected: None Fixed Versions: 3.0.4.2, 2.2.6.3, 2.1.4.3, 2.0.9.3
# Impact
The Multipart MIME parsing code in Rack limits the number of file parts, but does not limit the total number of parts that can be uploaded. Carefully crafted requests can abuse this and cause multipart parsing to take longer than expected.
All users running an affected release should either upgrade or use one of the workarounds immediately.
# Workarounds
A proxy can be configured to limit the POST body size which will mitigate this issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27530 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.0209 |
| scoring_system |
epss |
| scoring_elements |
0.8399 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.0209 |
| scoring_system |
epss |
| scoring_elements |
0.83975 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84204 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84186 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84183 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.02133 |
| scoring_system |
epss |
| scoring_elements |
0.84192 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.02311 |
| scoring_system |
epss |
| scoring_elements |
0.84734 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.02311 |
| scoring_system |
epss |
| scoring_elements |
0.84763 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.02311 |
| scoring_system |
epss |
| scoring_elements |
0.84757 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27530 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.3 |
| purl |
pkg:gem/rack@2.0.9.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 17 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.3 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.3 |
| purl |
pkg:gem/rack@2.1.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 17 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.3 |
|
| 2 |
| url |
pkg:gem/rack@2.2.6.3 |
| purl |
pkg:gem/rack@2.2.6.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 17 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.3 |
|
| 3 |
| url |
pkg:gem/rack@3.0.4.2 |
| purl |
pkg:gem/rack@3.0.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 15 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.2 |
|
|
| aliases |
CVE-2023-27530, GHSA-3h57-hmj3-gj3p, GMS-2023-663
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-fpg2-nhey-rkcc |
|
| 16 |
| url |
VCID-gdhf-e8q1-kbat |
| vulnerability_id |
VCID-gdhf-e8q1-kbat |
| summary |
Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
`Rack::QueryParser` in version `< 2.2.18` enforces its `params_limit` only for parameters separated by `&`, while still splitting on both `&` and `;`. As a result, attackers could use `;` separators to bypass the parameter count limit and submit more parameters than intended. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59830 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21196 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21203 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21256 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21297 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21287 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21225 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21392 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21145 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00069 |
| scoring_system |
epss |
| scoring_elements |
0.21337 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-59830 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
|
| aliases |
CVE-2025-59830, GHSA-625h-95r8-8xpm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gdhf-e8q1-kbat |
|
| 17 |
| url |
VCID-gtzk-m9rm-57hw |
| vulnerability_id |
VCID-gtzk-m9rm-57hw |
| summary |
Rack Header Parsing leads to Possible Denial of Service Vulnerability
# Possible Denial of Service Vulnerability in Rack Header Parsing
There is a possible denial of service vulnerability in the header parsing
routines in Rack. This vulnerability has been assigned the CVE identifier
CVE-2024-26146.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.4, 2.1.4.4, 2.2.8.1, 3.0.9.1
Impact
------
Carefully crafted headers can cause header parsing in Rack to take longer than
expected resulting in a possible denial of service issue. Accept and Forwarded
headers are impacted.
Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2
or newer are unaffected.
Releases
--------
The fixed releases are available at the normal locations.
Workarounds
-----------
There are no feasible workarounds for this issue.
Patches
-------
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 2-0-header-redos.patch - Patch for 2.0 series
* 2-1-header-redos.patch - Patch for 2.1 series
* 2-2-header-redos.patch - Patch for 2.2 series
* 3-0-header-redos.patch - Patch for 3.0 series
Credits
-------
Thanks to [svalkanov](https://hackerone.com/svalkanov) for reporting this and
providing patches! |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26146 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00699 |
| scoring_system |
epss |
| scoring_elements |
0.71937 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00699 |
| scoring_system |
epss |
| scoring_elements |
0.71956 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.72361 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.72348 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.7232 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00714 |
| scoring_system |
epss |
| scoring_elements |
0.72332 |
| published_at |
2026-04-12T12:55:00Z |
|
| 6 |
| value |
0.00775 |
| scoring_system |
epss |
| scoring_elements |
0.73588 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00775 |
| scoring_system |
epss |
| scoring_elements |
0.73552 |
| published_at |
2026-04-07T12:55:00Z |
|
| 8 |
| value |
0.00775 |
| scoring_system |
epss |
| scoring_elements |
0.73601 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2024-26146 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.4 |
| purl |
pkg:gem/rack@2.0.9.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 15 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.4 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.4 |
| purl |
pkg:gem/rack@2.1.4.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 15 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.4 |
|
| 2 |
| url |
pkg:gem/rack@2.2.8.1 |
| purl |
pkg:gem/rack@2.2.8.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 12 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 13 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.8.1 |
|
| 3 |
| url |
pkg:gem/rack@3.0.9.1 |
| purl |
pkg:gem/rack@3.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.9.1 |
|
|
| aliases |
CVE-2024-26146, GHSA-54rr-7fvw-6x8f
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-gtzk-m9rm-57hw |
|
| 18 |
| url |
VCID-jxws-ws21-4uaa |
| vulnerability_id |
VCID-jxws-ws21-4uaa |
| summary |
Moderate severity vulnerability that affects rack
Withdrawn, accidental duplicate publish.
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a request with a large parameter depth. |
| references |
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.6 |
| purl |
pkg:gem/rack@1.4.6 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 16 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 17 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 18 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 19 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 20 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 21 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 22 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 23 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 24 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 25 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.6 |
|
| 1 |
| url |
pkg:gem/rack@1.5.4 |
| purl |
pkg:gem/rack@1.5.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 26 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.4 |
|
| 2 |
| url |
pkg:gem/rack@1.6.2 |
| purl |
pkg:gem/rack@1.6.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-9xy8-h3y1-mubv |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.2 |
|
|
| aliases |
GHSA-9vc2-p34x-jhxh
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-jxws-ws21-4uaa |
|
| 19 |
| url |
VCID-npag-sz7d-v7b6 |
| vulnerability_id |
VCID-npag-sz7d-v7b6 |
| summary |
Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
`Rack::Multipart::Parser` buffers the entire multipart **preamble** (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process termination due to out-of-memory (OOM) conditions. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61770 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3674 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36695 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36721 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36756 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36747 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3673 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.3668 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36844 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00158 |
| scoring_system |
epss |
| scoring_elements |
0.36812 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61770 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61770, GHSA-p543-xpfm-54cp
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-npag-sz7d-v7b6 |
|
| 20 |
| url |
VCID-qt1u-2p37-xfet |
| vulnerability_id |
VCID-qt1u-2p37-xfet |
| summary |
Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30122 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00893 |
| scoring_system |
epss |
| scoring_elements |
0.75542 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.00893 |
| scoring_system |
epss |
| scoring_elements |
0.75512 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76909 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76823 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76854 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76864 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76893 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76873 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.00989 |
| scoring_system |
epss |
| scoring_elements |
0.76867 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30122 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
| reference_url |
https://security.gentoo.org/glsa/202310-18 |
| reference_id |
GLSA-202310-18 |
| reference_type |
|
| scores |
| 0 |
| value |
7.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
|
| 1 |
| value |
HIGH |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 2 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2023-12-13T16:09:46Z/ |
|
|
| url |
https://security.gentoo.org/glsa/202310-18 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.1 |
| purl |
pkg:gem/rack@2.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.1 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.1 |
| purl |
pkg:gem/rack@2.1.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.1 |
|
| 2 |
| url |
pkg:gem/rack@2.2.3.1 |
| purl |
pkg:gem/rack@2.2.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.3.1 |
|
|
| aliases |
CVE-2022-30122, GHSA-hxqx-xwvh-44m2, GMS-2022-1643
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-qt1u-2p37-xfet |
|
| 21 |
| url |
VCID-s971-gkdg-jkhc |
| vulnerability_id |
VCID-s971-gkdg-jkhc |
| summary |
Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
`Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory before parsing, leading to denial of service (DoS) through memory exhaustion. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61919 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44791 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44737 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44735 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44767 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.4475 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44695 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44756 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44736 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00221 |
| scoring_system |
epss |
| scoring_elements |
0.44748 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-61919 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
|
| fixed_packages |
| 0 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-61919, GHSA-6xw4-3v39-52mm
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-s971-gkdg-jkhc |
|
| 22 |
| url |
VCID-skxv-7he3-xqgc |
| vulnerability_id |
VCID-skxv-7he3-xqgc |
| summary |
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
## Summary
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.
This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.
## Details
`Rack::Directory` renders directory entries using an HTML row template similar to:
```html
<a href='%s'>%s</a>
```
The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:
```html
<a href='javascript:alert(1)'>javascript:alert(1)</a>
```
Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.
## Impact
If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.
When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).
## Mitigation
* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).
* Avoid exposing user-controlled directories via `Rack::Directory`.
* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.
HackerOne profile:
https://hackerone.com/thesmartshadow
GitHub account owner:
Ali Firas (@thesmartshadow) |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25500 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05751 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05787 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05793 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05801 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05797 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05758 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05764 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05724 |
| published_at |
2026-04-02T12:55:00Z |
|
| 8 |
| value |
0.00021 |
| scoring_system |
epss |
| scoring_elements |
0.05822 |
| published_at |
2026-04-09T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2026-25500 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
|
| fixed_packages |
|
| aliases |
CVE-2026-25500, GHSA-whrj-4476-wvmp
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-skxv-7he3-xqgc |
|
| 23 |
| url |
VCID-teq8-nqhf-xbbq |
| vulnerability_id |
VCID-teq8-nqhf-xbbq |
| summary |
Improper Restriction of Operations within the Bounds of a Memory Buffer
multipart/parser.rb in Rack allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a Multipart HTTP packet. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0183 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.8292 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82816 |
| published_at |
2026-04-01T12:55:00Z |
|
| 2 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82833 |
| published_at |
2026-04-02T12:55:00Z |
|
| 3 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82846 |
| published_at |
2026-04-04T12:55:00Z |
|
| 4 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82842 |
| published_at |
2026-04-07T12:55:00Z |
|
| 5 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82868 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82874 |
| published_at |
2026-04-09T12:55:00Z |
|
| 7 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.8289 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82885 |
| published_at |
2026-04-12T12:55:00Z |
|
| 9 |
| value |
0.01824 |
| scoring_system |
epss |
| scoring_elements |
0.82881 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0183 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.3 |
| purl |
pkg:gem/rack@1.4.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-9uh8-upzm-7bgd |
|
| 9 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 10 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 11 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 12 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 13 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 14 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 15 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 16 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 17 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 20 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 21 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 22 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 25 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 26 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 27 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 28 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 29 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 30 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.3 |
|
|
| aliases |
CVE-2013-0183, GHSA-3pxh-h8hw-mj8w, OSV-89320
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-teq8-nqhf-xbbq |
|
| 24 |
| url |
VCID-udc4-7jnt-y3fu |
| vulnerability_id |
VCID-udc4-7jnt-y3fu |
| summary |
Multiple vulnerabilities have been discovered in Rack, the worst of which can lead to sequence injection in logging compontents. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30123 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83974 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83914 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83937 |
| published_at |
2026-04-08T12:55:00Z |
|
| 3 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83944 |
| published_at |
2026-04-09T12:55:00Z |
|
| 4 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.8396 |
| published_at |
2026-04-11T12:55:00Z |
|
| 5 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83949 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.02072 |
| scoring_system |
epss |
| scoring_elements |
0.83953 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.02128 |
| scoring_system |
epss |
| scoring_elements |
0.84126 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.02128 |
| scoring_system |
epss |
| scoring_elements |
0.84109 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-30123 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.1 |
| purl |
pkg:gem/rack@2.0.9.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.1 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.1 |
| purl |
pkg:gem/rack@2.1.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.1 |
|
| 2 |
| url |
pkg:gem/rack@2.2.3.1 |
| purl |
pkg:gem/rack@2.2.3.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.3.1 |
|
|
| aliases |
CVE-2022-30123, GHSA-wq4h-7r42-5hrr, GMS-2022-1644
|
| risk_score |
4.5 |
| exploitability |
0.5 |
| weighted_severity |
9.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-udc4-7jnt-y3fu |
|
| 25 |
| url |
VCID-vkrw-y1j6-6fe7 |
| vulnerability_id |
VCID-vkrw-y1j6-6fe7 |
| summary |
Duplicate
This advisory duplicates another. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44571 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.03289 |
| scoring_system |
epss |
| scoring_elements |
0.87172 |
| published_at |
2026-04-04T12:55:00Z |
|
| 1 |
| value |
0.03289 |
| scoring_system |
epss |
| scoring_elements |
0.87155 |
| published_at |
2026-04-02T12:55:00Z |
|
| 2 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87847 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87801 |
| published_at |
2026-04-07T12:55:00Z |
|
| 4 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87822 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87829 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87841 |
| published_at |
2026-04-11T12:55:00Z |
|
| 7 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87835 |
| published_at |
2026-04-12T12:55:00Z |
|
| 8 |
| value |
0.03631 |
| scoring_system |
epss |
| scoring_elements |
0.87833 |
| published_at |
2026-04-13T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2022-44571 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.0.9.2 |
| purl |
pkg:gem/rack@2.0.9.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.9.2 |
|
| 1 |
| url |
pkg:gem/rack@2.1.4.2 |
| purl |
pkg:gem/rack@2.1.4.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 8 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 9 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 10 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 11 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 12 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 13 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 14 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 15 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 16 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 17 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 18 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 19 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 20 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4.2 |
|
| 2 |
| url |
pkg:gem/rack@2.2.6.1 |
| purl |
pkg:gem/rack@2.2.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 16 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 17 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 18 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 19 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 20 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 21 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.1 |
|
| 3 |
| url |
pkg:gem/rack@3.0.4.1 |
| purl |
pkg:gem/rack@3.0.4.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.4.1 |
|
|
| aliases |
CVE-2022-44571, GHSA-93pm-5p5f-3ghx, GMS-2023-65
|
| risk_score |
3.4 |
| exploitability |
0.5 |
| weighted_severity |
6.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-vkrw-y1j6-6fe7 |
|
| 26 |
| url |
VCID-w732-52bx-2qf8 |
| vulnerability_id |
VCID-w732-52bx-2qf8 |
| summary |
Possible Log Injection in Rack::CommonLogger
## Summary
`Rack::CommonLogger` can be exploited by crafting input that includes newline characters to manipulate log entries. The supplied proof-of-concept demonstrates injecting malicious content into logs.
## Details
When a user provides the authorization credentials via `Rack::Auth::Basic`, if success, the username will be put in `env['REMOTE_USER']` and later be used by `Rack::CommonLogger` for logging purposes.
The issue occurs when a server intentionally or unintentionally allows a user creation with the username contain CRLF and white space characters, or the server just want to log every login attempts. If an attacker enters a username with CRLF character, the logger will log the malicious username with CRLF characters into the logfile.
## Impact
Attackers can break log formats or insert fraudulent entries, potentially obscuring real activity or injecting malicious data into log files.
## Mitigation
- Update to the latest version of Rack. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-25184 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77455 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77416 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.7742 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.7744 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77414 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77405 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01039 |
| scoring_system |
epss |
| scoring_elements |
0.77375 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.01068 |
| scoring_system |
epss |
| scoring_elements |
0.77685 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01068 |
| scoring_system |
epss |
| scoring_elements |
0.77658 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-25184 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://github.com/rack/rack |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 1 |
| value |
5.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 2 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
|
| url |
https://github.com/rack/rack |
|
| 5 |
|
| 6 |
| reference_url |
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
6.5 |
| scoring_system |
cvssv3 |
| scoring_elements |
|
|
| 1 |
| value |
6.5 |
| scoring_system |
cvssv3.1 |
| scoring_elements |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
|
| 2 |
| value |
MODERATE |
| scoring_system |
cvssv3.1_qr |
| scoring_elements |
|
|
| 3 |
| value |
5.7 |
| scoring_system |
cvssv4 |
| scoring_elements |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P |
|
| 4 |
| value |
MODERATE |
| scoring_system |
generic_textual |
| scoring_elements |
|
|
| 5 |
| value |
Track |
| scoring_system |
ssvc |
| scoring_elements |
SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2025-02-12T19:09:07Z/ |
|
|
| url |
https://github.com/rack/rack/security/advisories/GHSA-7g2v-jj9q-g3rg |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.11 |
| purl |
pkg:gem/rack@2.2.11 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 8 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 9 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 10 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 11 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 12 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.11 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
| url |
pkg:gem/rack@3.0.12 |
| purl |
pkg:gem/rack@3.0.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.12 |
|
| 3 |
| url |
pkg:gem/rack@3.1.10 |
| purl |
pkg:gem/rack@3.1.10 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 4 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 5 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 6 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.10 |
|
|
| aliases |
CVE-2025-25184, GHSA-7g2v-jj9q-g3rg
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-w732-52bx-2qf8 |
|
| 27 |
| url |
VCID-wt7k-s1yd-nke6 |
| vulnerability_id |
VCID-wt7k-s1yd-nke6 |
| summary |
Local File Inclusion in Rack::Static
## Summary
`Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.
## Details
The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.
## Impact
By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file.
## Mitigation
- Update to the latest version of Rack, or
- Remove usage of `Rack::Static`, or
- Ensure that `root:` points at a directory path which only contains files which should be accessed publicly.
It is likely that a CDN or similar static file server would also mitigate the issue. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27610 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61706 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61664 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61684 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61695 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61659 |
| published_at |
2026-04-08T12:55:00Z |
|
| 5 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61674 |
| published_at |
2026-04-09T12:55:00Z |
|
| 6 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.6164 |
| published_at |
2026-04-04T12:55:00Z |
|
| 7 |
| value |
0.00415 |
| scoring_system |
epss |
| scoring_elements |
0.61611 |
| published_at |
2026-04-07T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-27610 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.13 |
| purl |
pkg:gem/rack@2.2.13 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 2 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 3 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 4 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 5 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 6 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 7 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 8 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 9 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 10 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.13 |
|
| 1 |
| url |
pkg:gem/rack@3.0.0.beta1 |
| purl |
pkg:gem/rack@3.0.0.beta1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-1j61-5e8x-7fbd |
|
| 1 |
| vulnerability |
VCID-2p73-rc9t-rudb |
|
| 2 |
| vulnerability |
VCID-2qba-a6bp-ryak |
|
| 3 |
| vulnerability |
VCID-5twm-pqc2-xyfn |
|
| 4 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 5 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-dh75-6jyw-1ke2 |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-j34j-bgfd-8fez |
|
| 15 |
| vulnerability |
VCID-jg77-mm5c-gydu |
|
| 16 |
| vulnerability |
VCID-m98a-mcyb-c7fm |
|
| 17 |
| vulnerability |
VCID-metf-cghw-p3b5 |
|
| 18 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 19 |
| vulnerability |
VCID-p3dk-p1gb-kkem |
|
| 20 |
| vulnerability |
VCID-pbu7-4hdm-s3a6 |
|
| 21 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 22 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 23 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 24 |
| vulnerability |
VCID-wvs1-dhwp-ebat |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.0.beta1 |
|
| 2 |
|
| 3 |
|
|
| aliases |
CVE-2025-27610, GHSA-7wqh-767x-r66v
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-wt7k-s1yd-nke6 |
|
| 28 |
| url |
VCID-xazq-qrm1-9ff6 |
| vulnerability_id |
VCID-xazq-qrm1-9ff6 |
| summary |
Rack session gets restored after deletion
### Summary
When using the `Rack::Session::Pool` middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session.
### Details
[Rack session middleware](https://github.com/rack/rack/blob/v2.2.13/lib/rack/session/abstract/id.rb#L263-L270) prepares the session at the beginning of request, then saves is back to the store with possible changes applied by host rack application. This way the session becomes to be a subject of race conditions in general sense over concurrent rack requests.
### Impact
When using the `Rack::Session::Pool` middleware, and provided the attacker can acquire a session cookie (already a major issue), the session may be restored if the attacker can trigger a long running request (within that same session) adjacent to the user logging out, in order to retain illicit access even after a user has attempted to logout.
## Mitigation
- Update to the latest version of `rack`, or
- Ensure your application invalidates sessions atomically by marking them as logged out e.g., using a `logged_out` flag, instead of deleting them, and check this flag on every request to prevent reuse, or
- Implement a custom session store that tracks session invalidation timestamps and refuses to accept session data if the session was invalidated after the request began.
### Related
As this code was moved to `rack-session` in Rack 3+, see <https://github.com/rack/rack-session/security/advisories/GHSA-9j94-67jr-4cqj> for the equivalent advisory in `rack-session` (affecting Rack 3+ only). |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2025-32441 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26521 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26514 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26571 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26617 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26612 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26495 |
| published_at |
2026-04-07T12:55:00Z |
|
| 6 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26563 |
| published_at |
2026-04-08T12:55:00Z |
|
| 7 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26709 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.00096 |
| scoring_system |
epss |
| scoring_elements |
0.26667 |
| published_at |
2026-04-02T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2025-32441 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
|
| fixed_packages |
|
| aliases |
CVE-2025-32441, GHSA-vpfw-47h7-xj4g
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xazq-qrm1-9ff6 |
|
| 29 |
| url |
VCID-xkah-9nv9-wufd |
| vulnerability_id |
VCID-xkah-9nv9-wufd |
| summary |
Possible Denial of Service Vulnerability in Rack’s header parsing
There is a denial of service vulnerability in the header parsing component of Rack. Carefully crafted input can cause header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. Any applications that parse headers using Rack (virtually all Rails applications) are impacted. Workarounds Setting `Regexp.timeout` in Ruby 3.2 is a possible workaround. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27539 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.00328 |
| scoring_system |
epss |
| scoring_elements |
0.55793 |
| published_at |
2026-04-02T12:55:00Z |
|
| 1 |
| value |
0.00328 |
| scoring_system |
epss |
| scoring_elements |
0.55815 |
| published_at |
2026-04-04T12:55:00Z |
|
| 2 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56406 |
| published_at |
2026-04-16T12:55:00Z |
|
| 3 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56392 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56374 |
| published_at |
2026-04-13T12:55:00Z |
|
| 5 |
| value |
0.00335 |
| scoring_system |
epss |
| scoring_elements |
0.56416 |
| published_at |
2026-04-11T12:55:00Z |
|
| 6 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58428 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58487 |
| published_at |
2026-04-09T12:55:00Z |
|
| 8 |
| value |
0.00364 |
| scoring_system |
epss |
| scoring_elements |
0.58481 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2023-27539 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.2.6.4 |
| purl |
pkg:gem/rack@2.2.6.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 10 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 11 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 12 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 13 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 14 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 15 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 16 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.6.4 |
|
| 1 |
| url |
pkg:gem/rack@3.0.6.1 |
| purl |
pkg:gem/rack@3.0.6.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 2 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 3 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 4 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 5 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 6 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 7 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 8 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 9 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 10 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 11 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 12 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 13 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 14 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0.6.1 |
|
|
| aliases |
CVE-2023-27539, GHSA-c6qg-cjj8-47qp, GMS-2023-769
|
| risk_score |
2.4 |
| exploitability |
0.5 |
| weighted_severity |
4.8 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xkah-9nv9-wufd |
|
| 30 |
| url |
VCID-xnz5-gv2x-17bk |
| vulnerability_id |
VCID-xnz5-gv2x-17bk |
| summary |
Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it possible for an attacker to forge a secure or host-only cookie prefix. |
| references |
| 0 |
|
| 1 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8184 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77742 |
| published_at |
2026-04-16T12:55:00Z |
|
| 1 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77705 |
| published_at |
2026-04-13T12:55:00Z |
|
| 2 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77706 |
| published_at |
2026-04-12T12:55:00Z |
|
| 3 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77722 |
| published_at |
2026-04-11T12:55:00Z |
|
| 4 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77696 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.7769 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01067 |
| scoring_system |
epss |
| scoring_elements |
0.77662 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.01162 |
| scoring_system |
epss |
| scoring_elements |
0.7859 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01162 |
| scoring_system |
epss |
| scoring_elements |
0.78559 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.01162 |
| scoring_system |
epss |
| scoring_elements |
0.78552 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2020-8184 |
|
| 2 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@2.1.4 |
| purl |
pkg:gem/rack@2.1.4 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.1.4 |
|
| 1 |
| url |
pkg:gem/rack@2.2.3 |
| purl |
pkg:gem/rack@2.2.3 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 6 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 7 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 8 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 9 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 10 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 11 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 12 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 13 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 14 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 15 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 16 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 17 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 18 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 19 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 20 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 21 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 22 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 23 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.3 |
|
|
| aliases |
CVE-2020-8184, GHSA-j6w9-fv6q-3q52
|
| risk_score |
4.0 |
| exploitability |
0.5 |
| weighted_severity |
8.0 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-xnz5-gv2x-17bk |
|
| 31 |
| url |
VCID-y12d-fjpf-uubh |
| vulnerability_id |
VCID-y12d-fjpf-uubh |
| summary |
Timing attack against Rack::Session::Cookie
Affected versions allows remote attackers to guess the session cookie, gain privileges, and execute arbitrary code via a timing attack involving am HMAC comparison function that does not run in constant time. |
| references |
| 0 |
|
| 1 |
|
| 2 |
|
| 3 |
|
| 4 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0263 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92398 |
| published_at |
2026-04-01T12:55:00Z |
|
| 1 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92416 |
| published_at |
2026-04-07T12:55:00Z |
|
| 2 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92413 |
| published_at |
2026-04-04T12:55:00Z |
|
| 3 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92405 |
| published_at |
2026-04-02T12:55:00Z |
|
| 4 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.9245 |
| published_at |
2026-04-16T12:55:00Z |
|
| 5 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92439 |
| published_at |
2026-04-13T12:55:00Z |
|
| 6 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92441 |
| published_at |
2026-04-12T12:55:00Z |
|
| 7 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92438 |
| published_at |
2026-04-11T12:55:00Z |
|
| 8 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92432 |
| published_at |
2026-04-09T12:55:00Z |
|
| 9 |
| value |
0.08626 |
| scoring_system |
epss |
| scoring_elements |
0.92428 |
| published_at |
2026-04-08T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2013-0263 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
| 24 |
|
| 25 |
|
| 26 |
|
| 27 |
|
| 28 |
|
| 29 |
|
| 30 |
|
| 31 |
|
| 32 |
|
| 33 |
|
| 34 |
|
| 35 |
|
| 36 |
|
| 37 |
|
| 38 |
|
| 39 |
|
| 40 |
|
| 41 |
|
| 42 |
|
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
|
| 47 |
|
| 48 |
|
| 49 |
|
| 50 |
|
| 51 |
|
| 52 |
|
| 53 |
|
| 54 |
|
| 55 |
|
| 56 |
|
| 57 |
|
| 58 |
|
| 59 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.4.5 |
| purl |
pkg:gem/rack@1.4.5 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 1 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 16 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 17 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 18 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 19 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 20 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 21 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 22 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 23 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 24 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 25 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 26 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 27 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.4.5 |
|
| 1 |
| url |
pkg:gem/rack@1.5.0.beta.1 |
| purl |
pkg:gem/rack@1.5.0.beta.1 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-35e6-cpn8-w7h1 |
|
| 1 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 2 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-9uh8-upzm-7bgd |
|
| 9 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 10 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 11 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 12 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 13 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 14 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 15 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 16 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-y12d-fjpf-uubh |
|
| 29 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.0.beta.1 |
|
| 2 |
| url |
pkg:gem/rack@1.5.2 |
| purl |
pkg:gem/rack@1.5.2 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-3ycr-9smk-uqdc |
|
| 1 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 2 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 3 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 4 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 5 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 6 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 7 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 8 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 9 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 10 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 11 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 12 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 13 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 14 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 15 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 16 |
| vulnerability |
VCID-jxws-ws21-4uaa |
|
| 17 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 18 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 19 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 20 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 21 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 22 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 23 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 24 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 25 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 26 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 27 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
| 28 |
| vulnerability |
VCID-yw62-qbkq-9ygq |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.5.2 |
|
|
| aliases |
CVE-2013-0263, GHSA-xc85-32mf-xpv8, OSV-89939
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-y12d-fjpf-uubh |
|
| 32 |
| url |
VCID-yw62-qbkq-9ygq |
| vulnerability_id |
VCID-yw62-qbkq-9ygq |
| summary |
Possible Information Leak / Session Hijack Vulnerability in Rack
There's a possible information leak / session hijack vulnerability in Rack. Attackers may be able to find and hijack sessions by using timing attacks targeting the session id. Session ids are usually stored and indexed in a database that uses some kind of scheme for speeding up lookups of that session id. By carefully measuring the amount of time it takes to look up a session, an attacker may be able to find a valid session id and hijack the session.
The session id itself may be generated randomly, but the way the session is indexed by the backing store does not use a secure comparison.
### Impact
The session id stored in a cookie is the same id that is used when querying the backing session storage engine. Most storage mechanisms (for example a database) use some sort of indexing in order to speed up the lookup of that id. By carefully timing requests and session lookup failures, an attacker may be able to perform a timing attack to determine an existing session id and hijack that session.
## Releases
The 1.6.12 and 2.0.8 releases are available at the normal locations.
### Workarounds
There are no known workarounds.
### Patches
To aid users who aren't able to upgrade immediately we have provided patches for
the two supported release series. They are in git-am format and consist of a
single changeset.
* 1-6-session-timing-attack.patch - Patch for 1.6 series
* 2-0-session-timing-attack.patch - Patch for 2.6 series
### Credits
Thanks Will Leinweber for reporting this! |
| references |
| 0 |
|
| 1 |
|
| 2 |
| reference_url |
https://api.first.org/data/v1/epss?cve=CVE-2019-16782 |
| reference_id |
|
| reference_type |
|
| scores |
| 0 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.7936 |
| published_at |
2026-04-11T12:55:00Z |
|
| 1 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79361 |
| published_at |
2026-04-16T12:55:00Z |
|
| 2 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79334 |
| published_at |
2026-04-13T12:55:00Z |
|
| 3 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79345 |
| published_at |
2026-04-12T12:55:00Z |
|
| 4 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79336 |
| published_at |
2026-04-09T12:55:00Z |
|
| 5 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79327 |
| published_at |
2026-04-08T12:55:00Z |
|
| 6 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79301 |
| published_at |
2026-04-07T12:55:00Z |
|
| 7 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79315 |
| published_at |
2026-04-04T12:55:00Z |
|
| 8 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79291 |
| published_at |
2026-04-02T12:55:00Z |
|
| 9 |
| value |
0.01251 |
| scoring_system |
epss |
| scoring_elements |
0.79285 |
| published_at |
2026-04-01T12:55:00Z |
|
|
| url |
https://api.first.org/data/v1/epss?cve=CVE-2019-16782 |
|
| 3 |
|
| 4 |
|
| 5 |
|
| 6 |
|
| 7 |
|
| 8 |
|
| 9 |
|
| 10 |
|
| 11 |
|
| 12 |
|
| 13 |
|
| 14 |
|
| 15 |
|
| 16 |
|
| 17 |
|
| 18 |
|
| 19 |
|
| 20 |
|
| 21 |
|
| 22 |
|
| 23 |
|
|
| fixed_packages |
| 0 |
| url |
pkg:gem/rack@1.6.12 |
| purl |
pkg:gem/rack@1.6.12 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@1.6.12 |
|
| 1 |
| url |
pkg:gem/rack@2.0.0.alpha |
| purl |
pkg:gem/rack@2.0.0.alpha |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.0.alpha |
|
| 2 |
| url |
pkg:gem/rack@2.0.8 |
| purl |
pkg:gem/rack@2.0.8 |
| is_vulnerable |
true |
| affected_by_vulnerabilities |
| 0 |
| vulnerability |
VCID-47ja-djzb-2bbw |
|
| 1 |
| vulnerability |
VCID-6c1k-vgv4-93ad |
|
| 2 |
| vulnerability |
VCID-7p12-ejdu-uqgy |
|
| 3 |
| vulnerability |
VCID-7wvj-9h3p-23am |
|
| 4 |
| vulnerability |
VCID-7zgg-tvu3-r7gt |
|
| 5 |
| vulnerability |
VCID-8zkw-y3yd-yuft |
|
| 6 |
| vulnerability |
VCID-9rpp-9xss-duf6 |
|
| 7 |
| vulnerability |
VCID-arac-j5h5-zkcu |
|
| 8 |
| vulnerability |
VCID-azu5-jcmd-3ufx |
|
| 9 |
| vulnerability |
VCID-c21j-snf1-d3cb |
|
| 10 |
| vulnerability |
VCID-c5sc-7qnn-mkb9 |
|
| 11 |
| vulnerability |
VCID-d58r-22kr-9bct |
|
| 12 |
| vulnerability |
VCID-fpg2-nhey-rkcc |
|
| 13 |
| vulnerability |
VCID-gdhf-e8q1-kbat |
|
| 14 |
| vulnerability |
VCID-gtzk-m9rm-57hw |
|
| 15 |
| vulnerability |
VCID-npag-sz7d-v7b6 |
|
| 16 |
| vulnerability |
VCID-qt1u-2p37-xfet |
|
| 17 |
| vulnerability |
VCID-s971-gkdg-jkhc |
|
| 18 |
| vulnerability |
VCID-skxv-7he3-xqgc |
|
| 19 |
| vulnerability |
VCID-udc4-7jnt-y3fu |
|
| 20 |
| vulnerability |
VCID-vkrw-y1j6-6fe7 |
|
| 21 |
| vulnerability |
VCID-w732-52bx-2qf8 |
|
| 22 |
| vulnerability |
VCID-wt7k-s1yd-nke6 |
|
| 23 |
| vulnerability |
VCID-xazq-qrm1-9ff6 |
|
| 24 |
| vulnerability |
VCID-xkah-9nv9-wufd |
|
| 25 |
| vulnerability |
VCID-xnz5-gv2x-17bk |
|
|
| resource_url |
http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.0.8 |
|
|
| aliases |
CVE-2019-16782, GHSA-hrqr-hxpp-chr3
|
| risk_score |
3.1 |
| exploitability |
0.5 |
| weighted_severity |
6.2 |
| resource_url |
http://public2.vulnerablecode.io/vulnerabilities/VCID-yw62-qbkq-9ygq |
|