CVE-2025-27610
📋 TL;DR
This vulnerability in Rack's static file serving component allows attackers to bypass directory restrictions and access any file under the configured root directory using encoded path traversal sequences. It affects Ruby web applications using vulnerable versions of Rack with Rack::Static middleware configured. Attackers can potentially read sensitive files like configuration files, source code, or credentials.
💻 Affected Systems
- Rack
📦 What is this software?
Rack by Rack
Rack by Rack
Rack by Rack
⚠️ Risk & Real-World Impact
Worst Case
Complete exposure of all files under the configured root directory, including sensitive configuration files, source code, environment variables, and credentials, potentially leading to full system compromise.
Likely Case
Unauthorized access to sensitive files like application configuration, database credentials, or source code, enabling further attacks or data theft.
If Mitigated
Limited to accessing only intentionally public static files with proper directory isolation and validation.
🎯 Exploit Status
Exploitation requires knowledge of file paths and the ability to send HTTP requests to the vulnerable endpoint. No authentication is required if the static file endpoint is publicly accessible.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rack 2.2.13, 3.0.14, or 3.1.12
Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
Restart Required: Yes
Instructions:
1. Update Gemfile to specify rack version >= 2.2.13, 3.0.14, or 3.1.12 depending on your major version. 2. Run 'bundle update rack'. 3. Restart your application server.
🔧 Temporary Workarounds
Remove Rack::Static usage
allReplace Rack::Static with alternative static file serving solutions like Nginx, Apache, or CDN.
Remove or comment out 'use Rack::Static' in config.ru
Isolate root directory
allEnsure the root: parameter points to a directory containing only public files with no sensitive data.
🧯 If You Can't Patch
- Implement a web application firewall (WAF) to block path traversal patterns
- Move static file serving to a dedicated web server (Nginx, Apache) or CDN
🔍 How to Verify
Check if Vulnerable:
Check your Gemfile.lock or run 'bundle show rack' to see the installed version. If version is below 2.2.13 (for Rack 2.x), 3.0.14 (for Rack 3.0.x), or 3.1.12 (for Rack 3.1.x), you are vulnerable.Check Version:
bundle show rack | grep rackVerify Fix Applied:
After updating, verify the version with 'bundle show rack' shows 2.2.13, 3.0.14, or 3.1.12 or higher. Test that path traversal attempts (e.g., '../' encoded variations) are blocked.📡 Detection & Monitoring
Log Indicators:
- HTTP requests with encoded path traversal sequences (%2e%2e%2f, %252e%252e%252f) to static file endpoints
- Unusual file access patterns outside normal static file directories
Network Indicators:
- HTTP requests containing multiple URL-encoded dot-dot-slash sequences
- Requests for known sensitive file patterns (.env, config/database.yml, etc.)
SIEM Query:
http.url:*%2e%2e%2f* OR http.url:*%252e%252e%252f* AND http.path:/static/*