CVE-2026-22860

Rack has a Directory Traversal via Rack:Directory

CVSS 7.5 HIGHEPSS 0.6%CWE-22 CWE-548

In short

Rack::Directory allows attackers to list files and directories outside the intended root folder by crafting special URLs with path traversal sequences. This happens because the security check only compares text strings instead of properly validating the actual file path.

Technical detail

Rack::Directory uses a string prefix match on expanded paths to validate directory access, which can be bypassed via path traversal sequences like `/../root_example/` when the target path starts with the configured root string. An unauthenticated attacker can exploit this CWE-22 vulnerability to enumerate directories outside the intended root, leading to information disclosure (CWE-548). The issue is fixed in versions 2.2.22, 3.1.20, and 3.2.5.

Summary generated and translated by AI from the official description.

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Affected products

rack · rack

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7 https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh