CVE-2026-25500 – This vulnerability allows cross-site scripting ... (How to Fix)

Q: What is the severity of CVE-2026-25500?

CVE-2026-25500 has a CVSS score of 5.4 (MEDIUM). This vulnerability allows cross-site scripting (XSS) attacks in Rack's directory listing feature. When Rack::Directory generates HTML directory indexes, it doesn't properly sanitize filenames starting with 'javascript:' schemes, allowing malicious JavaScript execution when users click on these file links. This affects Ruby web applications using vulnerable Rack versions with directory listings enabled.

📋 TL;DR

This vulnerability allows cross-site scripting (XSS) attacks in Rack's directory listing feature. When Rack::Directory generates HTML directory indexes, it doesn't properly sanitize filenames starting with 'javascript:' schemes, allowing malicious JavaScript execution when users click on these file links. This affects Ruby web applications using vulnerable Rack versions with directory listings enabled.

💻 Affected Systems

Products:

Rack (Ruby web server interface)

Versions: All versions before 2.2.22, 3.1.20, and 3.2.5

Operating Systems: All operating systems running Ruby with Rack

Default Config Vulnerable: ✅ No

Notes: Only vulnerable when Rack::Directory is used to serve directory listings, which is not the default configuration for most applications.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary JavaScript in victims' browsers, potentially stealing session cookies, performing actions as the user, or redirecting to malicious sites.

🟠

Likely Case

Limited XSS attacks requiring user interaction (clicking on malicious file links) in directory listings, potentially leading to session hijacking or credential theft.

🟢

If Mitigated

No impact if directory listings are disabled or proper input sanitization is implemented.

🌐 Internet-Facing: MEDIUM - Requires user interaction and directory listing access, but could lead to account compromise if exploited.

🏢 Internal Only: LOW - Internal users clicking malicious links could be affected, but attack surface is limited.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires attackers to upload or create files with 'javascript:' prefixed names in directories served by Rack::Directory, then trick users into clicking the generated links.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Rack 2.2.22, 3.1.20, or 3.2.5

Vendor Advisory: https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp

Restart Required: Yes

Instructions:

1. Update Gemfile to specify rack version >=2.2.22, >=3.1.20, or >=3.2.5. 2. Run 'bundle update rack'. 3. Restart your Ruby application server.

🔧 Temporary Workarounds

Disable directory listings

all

Disable Rack::Directory usage in your application configuration

# In config.ru or application config, remove or comment out use of Rack::Directory

Filename sanitization middleware

all

Add middleware to sanitize filenames before Rack::Directory processes them

# Implement custom middleware that filters or renames files starting with 'javascript:'

🧯 If You Can't Patch

Disable directory listing functionality entirely in your application
Implement web application firewall (WAF) rules to block requests containing 'javascript:' in directory paths

🔍 How to Verify

Check if Vulnerable:

Check if your application uses Rack::Directory and if Rack version is below 2.2.22, 3.1.20, or 3.2.5

Check Version:

bundle show rack | grep rack

Verify Fix Applied:

Verify Rack version is >=2.2.22, >=3.1.20, or >=3.2.5 and test directory listings with 'javascript:' prefixed filenames

📡 Detection & Monitoring

Log Indicators:

Requests to directory listings with 'javascript:' in filenames
Unusual file uploads with 'javascript:' prefixes

Network Indicators:

HTTP requests containing 'javascript:' in URL paths to directory endpoints

SIEM Query:

source="web_logs" AND (url="*javascript:*" OR filename="*javascript:*") AND path="*/directory/*"

📊 Metadata

CVE ID: CVE-2026-25500

CVSS v3 Score: 5.4 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

Published: February 18, 2026

Last Updated: February 19, 2026

🔗 References

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff Patch
https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp Exploit,Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25500, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Rack by Rack

Rack by Rack

Rack by Rack

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Disable directory listings

Filename sanitization middleware

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities