Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Published: 2026-02-18
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Directory Traversal allowing unintended directory listings and potential access to sensitive files
Action: Immediate Patch
AI Analysis

Impact

Rack, a modular Ruby web server interface, implements directory listing through the Rack::Directory middleware. Prior to specified releases, the middleware performed a path check by matching the expanded path against the configured root using a simple string prefix comparison. This logic flaw lets an attacker craft a request such as '/../root_example/' that bypasses the root restriction, resulting in directory listings outside the intended root. The exposed data can include configuration files, source code, or other sensitive files located above the documented root, thereby compromising confidentiality.

Affected Systems

The vulnerability affects all Rack installations running versions earlier than 2.2.22, 3.1.20, or 3.2.5. These releases are distributed by the Rack project and used by Ruby web applications that rely on the Rack::Directory middleware for static file serving.

Risk and Exploitability

The CVSS score of 7.5 indicates high severity. The EPSS score is less than 1%, suggesting low current exploitation probability, though planning or targeted attacks remain feasible. The vulnerability is not listed in the CISA KEV catalog. Attackers can exploit it remotely by sending HTTP requests to an application that employs Rack::Directory. Successful exploitation permits listing of directories outside the configured root, potentially exposing sensitive information without requiring authentication.

Generated by OpenCVE AI on April 17, 2026 at 18:34 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to version 2.2.22 or later, 3.1.20 or later, or 3.2.5 or later to apply the fix.
  • Restart the application or web server so that the updated Rack library is loaded.
  • If upgrading is temporarily infeasible, configure the application to disable or limit directory listing functionality provided by Rack::Directory to prevent exposure of unintended files.

Generated by OpenCVE AI on April 17, 2026 at 18:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4505-1 ruby-rack security update
Debian DSA Debian DSA DSA-6180-1 ruby-rack security update
Github GHSA Github GHSA GHSA-mxw3-3hh2-x2mh Rack has a Directory Traversal via Rack:Directory
History

Thu, 19 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Thu, 19 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Important

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 19:15:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Title Rack has a Directory Traversal via Rack:Directory
Weaknesses CWE-22
CWE-548
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-18T19:28:38.445Z

Reserved: 2026-01-12T16:20:16.746Z

Link: CVE-2026-22860

cve-icon Vulnrichment

Updated: 2026-02-18T19:28:26.018Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T19:21:43.933

Modified: 2026-02-19T18:27:09.117

Link: CVE-2026-22860

cve-icon Redhat

Severity : Important

Publid Date: 2026-02-18T18:45:02Z

Links: CVE-2026-22860 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses