Django REST framework

Vulnerability Instance

Lookup for vulnerabilities affecting packages.

Vulnerability_idVCID-3jru-u17n-tyg1
Summary
Rack has a Possible Information Disclosure Vulnerability
A possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
Aliases
0
alias CVE-2025-61780
1
alias GHSA-r657-rxjc-j557
Fixed_packages
0
url pkg:gem/rack@2.2.20
purl pkg:gem/rack@2.2.20
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@2.2.20
1
url pkg:gem/rack@3.1.18
purl pkg:gem/rack@3.1.18
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.1.18
2
url pkg:gem/rack@3.2.3
purl pkg:gem/rack@3.2.3
is_vulnerable false
affected_by_vulnerabilities
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2.3
Affected_packages
0
url pkg:gem/rack@3.0
purl pkg:gem/rack@3.0
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-e11g-k7zm-vkhu
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.0
1
url pkg:gem/rack@3.2
purl pkg:gem/rack@3.2
is_vulnerable true
affected_by_vulnerabilities
0
vulnerability VCID-3jru-u17n-tyg1
1
vulnerability VCID-dss4-6ptr-83av
2
vulnerability VCID-e11g-k7zm-vkhu
3
vulnerability VCID-k8fr-zuyx-yyhg
4
vulnerability VCID-xpa3-1n87-8ucv
resource_url http://public2.vulnerablecode.io/packages/pkg:gem/rack@3.2
References
0
reference_url https://github.com/rack/rack
reference_id
reference_type
scores
url https://github.com/rack/rack
1
reference_url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
reference_id
reference_type
scores
url https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
2
reference_url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
reference_id
reference_type
scores
url https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
3
reference_url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
reference_id
reference_type
scores
url https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
4
reference_url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
reference_id CVE-2025-61780
reference_type
scores
url https://nvd.nist.gov/vuln/detail/CVE-2025-61780
5
reference_url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
reference_id CVE-2025-61780.YML
reference_type
scores
url https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
6
reference_url https://github.com/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
url https://github.com/advisories/GHSA-r657-rxjc-j557
7
reference_url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
reference_id GHSA-r657-rxjc-j557
reference_type
scores
url https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
Weaknesses
0
cwe_id 200
name Exposure of Sensitive Information to an Unauthorized Actor
description The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
1
cwe_id 441
name Unintended Proxy or Intermediary ('Confused Deputy')
description The product receives a request, message, or directive from an upstream component, but the product does not sufficiently preserve the original source of the request before forwarding the request to an external actor that is outside of the product's control sphere. This causes the product to appear to be the source of the request, leading it to act as a proxy or other intermediary between the upstream component and the external actor.
2
cwe_id 913
name Improper Control of Dynamically-Managed Code Resources
description The product does not properly restrict reading from or writing to dynamically-managed code resources such as variables, objects, classes, attributes, functions, or executable instructions or statements.
3
cwe_id 937
name OWASP Top Ten 2013 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2013.
4
cwe_id 1035
name OWASP Top Ten 2017 Category A9 - Using Components with Known Vulnerabilities
description Weaknesses in this category are related to the A9 category in the OWASP Top Ten 2017.
Exploits
Severity_range_scorenull
Exploitabilitynull
Weighted_severitynull
Risk_scorenull
Resource_urlhttp://public2.vulnerablecode.io/vulnerabilities/VCID-3jru-u17n-tyg1