CVE-2025-61780
📋 TL;DR
This vulnerability allows attackers to bypass proxy-level access restrictions in Rack applications using Rack::Sendfile with certain proxy configurations. By sending crafted x-sendfile-type and x-accel-mapping headers, attackers can trigger internal requests that bypass proxy controls, potentially accessing protected endpoints like administrative pages. Only applications using Rack::Sendfile with proxies supporting x-accel-redirect (like Nginx) that don't properly handle these headers are affected.
💻 Affected Systems
- Rack (Ruby web server interface)
📦 What is this software?
Rack by Rack
Rack by Rack
Rack by Rack
⚠️ Risk & Real-World Impact
Worst Case
Attackers bypass all proxy-level access controls and access sensitive internal endpoints, administrative interfaces, or protected application routes that should be inaccessible.
Likely Case
Attackers bypass some proxy restrictions to access internal application endpoints not intended for public exposure, potentially exposing sensitive functionality or data.
If Mitigated
With proper proxy configuration or patched versions, the vulnerability is eliminated and proxy access controls function as intended.
🎯 Exploit Status
Exploitation requires specific proxy configuration conditions and knowledge of internal endpoints. No public exploit code available at disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rack 2.2.20, 3.1.18, or 3.2.3
Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
Restart Required: No
Instructions:
1. Update Gemfile to require rack >= 2.2.20, >= 3.1.18, or >= 3.2.3. 2. Run 'bundle update rack'. 3. Deploy updated application. 4. Verify x-accel-redirect now requires explicit configuration.
🔧 Temporary Workarounds
Configure proxy to strip headers
allConfigure your proxy (Nginx) to always remove or set x-sendfile-type and x-accel-mapping headers from client requests
# Nginx configuration example
location / {
proxy_set_header X-Sendfile-Type "";
proxy_set_header X-Accel-Mapping "";
# or use proxy_hide_header to remove them
}
Disable sendfile in Rails
railsFor Rails applications, disable sendfile functionality completely
# In config/environments/production.rb
config.action_dispatch.x_sendfile_header = nil
🧯 If You Can't Patch
- Configure proxy to strip x-sendfile-type and x-accel-mapping headers from all client requests
- Implement application-level validation to reject requests containing x-sendfile-type or x-accel-mapping headers
🔍 How to Verify
Check if Vulnerable:
Check if using Rack version < 2.2.20, < 3.1.18, or < 3.2.3 with Rack::Sendfile middleware enabled behind proxy supporting x-accel-redirectCheck Version:
bundle show rack | grep rackVerify Fix Applied:
Verify Rack version is >= 2.2.20, >= 3.1.18, or >= 3.2.3 and x-accel-redirect requires explicit configuration📡 Detection & Monitoring
Log Indicators:
- Unusual x-sendfile-type or x-accel-mapping header values in request logs
- Requests to internal endpoints from unexpected sources
- Proxy access control bypass attempts
Network Indicators:
- HTTP requests containing x-sendfile-type: x-accel-redirect header
- HTTP requests with crafted x-accel-mapping headers
SIEM Query:
http.headers:x-sendfile-type="x-accel-redirect" OR http.headers:x-accel-mapping="*"