CVE-2026-22860
📋 TL;DR
This vulnerability in Rack's Rack::Directory component allows attackers to bypass directory restrictions using path traversal techniques. By crafting requests like '/../root_example/', attackers can list directory contents outside the intended root directory. This affects Ruby applications using vulnerable versions of Rack with directory listing enabled.
💻 Affected Systems
- Rack (Ruby web server interface)
📦 What is this software?
Rack by Rack
Rack by Rack
Rack by Rack
⚠️ Risk & Real-World Impact
Worst Case
Attackers could enumerate sensitive files and directories outside the web root, potentially discovering configuration files, source code, or credentials that could lead to further compromise.
Likely Case
Unauthorized directory traversal allowing attackers to discover file structure and potentially access sensitive information that shouldn't be publicly accessible.
If Mitigated
Limited impact if directory listing is disabled or proper access controls are in place, though the vulnerability still exists.
🎯 Exploit Status
The vulnerability is simple to exploit with basic HTTP requests. Proof of concept is available in the advisory and commit details.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Rack 2.2.22, 3.1.20, or 3.2.5
Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
Restart Required: Yes
Instructions:
1. Update your Gemfile to specify rack version >= 2.2.22, 3.1.20, or 3.2.5 depending on your major version. 2. Run 'bundle update rack'. 3. Restart your application server.
🔧 Temporary Workarounds
Disable directory listing
allDisable Rack::Directory middleware or directory listing functionality in your application
Remove or comment out 'use Rack::Directory' in config.ru or application configuration
🧯 If You Can't Patch
- Implement web application firewall (WAF) rules to block path traversal patterns
- Disable directory listing entirely and implement proper access controls for static file serving
🔍 How to Verify
Check if Vulnerable:
Check your Gemfile.lock or run 'bundle show rack' to see current version. If version is below 2.2.22 (for Rack 2.x), 3.1.20 (for Rack 3.1.x), or 3.2.5 (for Rack 3.2.x), you are vulnerable.Check Version:
bundle show rack | grep rackVerify Fix Applied:
After updating, verify the version with 'bundle show rack' and test directory traversal attempts against your application.📡 Detection & Monitoring
Log Indicators:
- HTTP requests containing '/../' patterns or unusual path traversal attempts
- Multiple 200/403 responses for directory listing requests outside normal paths
Network Indicators:
- HTTP requests with path traversal sequences targeting directory endpoints
SIEM Query:
web_access_logs WHERE url CONTAINS '/../' AND (status_code = 200 OR status_code = 403)