Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Published: 2026-02-18
Score: 5.4 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Stored Cross‑Site Scripting in the Rack::Directory index can cause arbitrary JavaScript execution in users' browsers when they click directory links.
Action: Immediate Patch
AI Analysis

Impact

Rack's directory listing generates an anchor for every file on disk. If a file's name begins with the javascript: scheme, the href in the generated index becomes that exact value, allowing the browser to execute JavaScript. This stored XSS flaw can be abused to run arbitrary code, steal session data, or redirect users. The weakness is classified as CWE‑79.

Affected Systems

The flaw affects Rack library versions older than 2.2.22, 3.1.20, and 3.2.5 in Ruby web applications. Any environment running those versions with Rack::Directory enabled and publicly accessible directory listings is vulnerable.

Risk and Exploitability

The vulnerability has a CVSS score of 5.4, indicating moderate severity. Its EPSS is below 1%, suggesting low likelihood of exploitation, and it is not listed in the CISA KEV catalog. Exploitation requires the presence of a file whose basename starts with "javascript:" on the server and a user to click the resulting link in a directory listing, so it is an indirect, user‑side vector.

Generated by OpenCVE AI on April 17, 2026 at 18:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Rack to at least version 2.2.22, 3.1.20, or 3.2.5.
  • Remove or rename any files on the server whose names begin with "javascript:" to prevent unsafe href generation.
  • Disable Rack::Directory listing or restrict it to trusted users so that directory indexes are not publicly exposed.

Generated by OpenCVE AI on April 17, 2026 at 18:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DLA Debian DLA DLA-4505-1 ruby-rack security update
Debian DSA Debian DSA DSA-6180-1 ruby-rack security update
Github GHSA Github GHSA GHSA-whrj-4476-wvmp Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
History

Thu, 19 Feb 2026 18:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*

Thu, 19 Feb 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Rack
Rack rack
Vendors & Products Rack
Rack rack

Thu, 19 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 18 Feb 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 18 Feb 2026 19:30:00 +0000

Type Values Removed Values Added
Description Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Title Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Weaknesses CWE-79
References
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N'}

Subscriptions

Rack Rack
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-18T19:42:35.101Z

Reserved: 2026-02-02T18:21:42.485Z

Link: CVE-2026-25500

cve-icon Vulnrichment

Updated: 2026-02-18T19:42:08.407Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-18T20:18:36.110

Modified: 2026-02-19T18:26:27.523

Link: CVE-2026-25500

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-02-18T18:59:31Z

Links: CVE-2026-25500 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T18:45:25Z

Weaknesses