Rack vulnerabilities
50 known vulnerabilities affecting rack/rack.
Total CVEs
50
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH26MEDIUM23
Vulnerabilities
Page 1 of 3
CVE-2024-25126P3HIGHCVSS 7.5≥ 0.4, < 2.2.8.1≥ 3.0.0, < 3.0.9.1+2 more2024-02-29
CVE-2024-25126 [HIGH] CWE-1333 CVE-2024-25126: Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability (ReDos 2nd degree polynomial). This vulnerability is patched in 3.0.9.1 and 2.2.8.1.
ghsanvdosv
CVE-2022-30123P3CRITICALCVSS 10.0≥ 0, < 2.0.9.1≥ 2.1, < 2.1.4.1+1 more2022-05-27
CVE-2022-30123 [CRITICAL] CWE-150 Possible shell escape sequence injection vulnerability in Rack
Possible shell escape sequence injection vulnerability in Rack
There is a possible shell escape sequence injection vulnerability in the Lint
and CommonLogger components of Rack. This vulnerability has been assigned the
CVE identifier CVE-2022-30123.
Versions Affected: All.
Not affected: None
Fixed Versions: 2.0.9.1, 2.1.4.1, 2.2.3.1
## Impact
Carefully crafted requests can cause shell escape seque
ghsaosv
CVE-2026-22860P3HIGHCVSS 7.5fixed in 2.2.22≥ 3.0.0, < 3.1.20+3 more2026-02-18
CVE-2026-22860 [HIGH] CWE-22 CVE-2026-22860: Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Dir
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22,
ghsanvdosv
CVE-2025-27610P3HIGHCVSS 7.5fixed in 2.2.13≥ 3.0.0, < 3.0.14+3 more2025-03-10
CVE-2025-27610 [HIGH] CWE-23 CVE-2025-27610: Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly. The vulnerability occurs because `Rack::Static` does not properly sanitize user-
ghsanvdosv
CVE-2025-61770P3HIGHCVSS 7.5fixed in 2.2.19≥ 3.1.0, < 3.1.17+3 more2025-10-07
CVE-2025-61770 [HIGH] CWE-400 CVE-2025-61770: Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` buffers the entire multipart preamble (bytes before the first boundary) in memory without any size limit. A client can send a large preamble followed by a valid boundary, causing significant memory use and potential process terminatio
ghsanvdosv
CVE-2026-34785P3HIGHCVSS 7.5fixed in 2.2.23≥ 3.0.0, < 3.1.21+3 more2026-04-02
CVE-2026-34785 [HIGH] CWE-187 CVE-2026-34785: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Stat
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-con
ghsanvdosv
CVE-2026-34829P3HIGHCVSS 7.5fixed in 2.2.23≥ 3.0.0, < 3.1.21+3 more2026-04-02
CVE-2026-34829 [HIGH] CWE-400 CVE-2026-34829: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Mult
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENT_LENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfer encoding, multipart parsing continues until end-of-st
ghsanvdosv
CVE-2026-34830P3HIGHCVSS 7.5fixed in 2.2.23≥ 3.0.0, < 3.1.21+3 more2026-04-02
CVE-2026-34830 [HIGH] CWE-625 CVE-2026-34830: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Send
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to th
ghsanvdosv
CVE-2026-34827P3HIGHCVSS 7.5≥ 3.0.0, < 3.1.21≥ 3.2.0, < 3.2.6+2 more2026-04-02
CVE-2026-34827 [HIGH] CWE-400 CVE-2026-34827: Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 t
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipart::Parser#handle_mime_head parses quoted multipart parameters such as Content-Disposition: form-data; name="..." using repeated String#index searches combined with String#slice! prefix deletion. For escape-heavy quoted valu
ghsanvdosv
CVE-2026-34230P3HIGHCVSS 7.5fixed in 2.2.23≥ 3.0.0, < 3.1.21+3 more2026-04-02
CVE-2026-34230 [HIGH] CWE-400 CVE-2026-34230: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Util
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard (*) entries. Because this method is used by Rack::Deflater to choose a response encoding, an unauthenticated attacker can send
ghsanvdosv
CVE-2025-27111P3HIGHCVSS 7.5fixed in 2.2.12≥ 3.0.0, < 3.0.13+3 more2025-03-04
CVE-2025-27111 [HIGH] CWE-93 CVE-2025-27111: Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header v
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit this by injecting escape sequences (such as newline characters) into the header, resulting in log injection. This vulnerability is fixed in 2.2.12, 3.0.13, and 3.1.11.
ghsanvdosv
CVE-2020-8161P3HIGH≥ 0, < 2.1.32020-07-06
CVE-2020-8161 [HIGH] CWE-22 Directory traversal in Rack::Directory app bundled with Rack
Directory traversal in Rack::Directory app bundled with Rack
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in information disclosure.
ghsaosv
CVE-2025-46727P3HIGHCVSS 7.5fixed in 2.2.14≥ 3.0.0, < 3.0.16+3 more2025-05-07
CVE-2025-46727 [HIGH] CWE-400 CVE-2025-46727: Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::Qu
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, `Rack::QueryParser` parses query strings and `application/x-www-form-urlencoded` bodies into Ruby data structures without imposing any limit on the number of parameters, allowing attackers to send requests with extremely large numbers of parameters. The vulnerab
ghsanvdosv
CVE-2025-61772P3HIGHCVSS 7.5fixed in 2.2.19≥ 3.1.0, < 3.1.17+3 more2025-10-07
CVE-2025-61772 [HIGH] CWE-400 CVE-2025-61772: Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser` can accumulate unbounded data when a multipart part’s header block never terminates with the required blank line (`CRLFCRLF`). The parser keeps appending incoming bytes to memory without a size cap, allowing a remote attacker to exhau
ghsanvdosv
CVE-2025-59830P3HIGHCVSS 7.5fixed in 2.2.182025-09-25
CVE-2025-59830 [HIGH] CWE-400 CVE-2025-59830: Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for parameters separated by &, while still splitting on both & and ;. As a result, attackers could use ; separators to bypass the parameter count limit and submit more parameters than intended. Applications or middleware that directly
ghsanvdosv
CVE-2025-61919P3HIGHCVSS 7.5fixed in 2.2.20≥ 3.0.0, < 3.1.18+3 more2025-10-10
CVE-2025-61919 [HIGH] CWE-400 CVE-2025-61919: Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Req
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, `Rack::Request#POST` reads the entire request body into memory for `Content-Type: application/x-www-form-urlencoded`, calling `rack.input.read(nil)` without enforcing a length or cap. Large request bodies can therefore be buffered completely into process memory b
ghsanvdosv
CVE-2025-61771P3HIGHCVSS 7.5fixed in 2.2.19≥ 3.1.0, < 3.1.17+3 more2025-10-07
CVE-2025-61771 [HIGH] CWE-400 CVE-2025-61771: Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack:
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, ``Rack::Multipart::Parser` stores non-file form fields (parts without a `filename`) entirely in memory as Ruby `String` objects. A single large text field in a multipart/form-data request (hundreds of megabytes or more) can consume equivalent process memory, p
ghsanvdosv
CVE-2026-34826P3HIGHCVSS 7.5fixed in 2.2.23≥ 3.0.0, < 3.1.21+1 more2026-04-02
CVE-2026-34826 [HIGH] CVE-2026-34826: Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Util
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the HTTP Range header without limiting the number of individual byte ranges. Although the existing fix for CVE-2024-26141 rejects ranges whose total byte coverage exceeds the file size, it does not restrict the count of ranges. An attac
ghsanvdosv
CVE-2024-26146P3HIGHCVSS 7.5≥ 0.4, < 2.0.9.4≥ 2.1.0, < 2.1.4.4+2 more2024-02-29
CVE-2024-26146 [HIGH] CWE-1333 CVE-2024-26146: Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in R
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expected resulting in a possible denial of service issue. Accept and Forwarded headers are impacted. Ruby 3.2 has mitigations for this problem, so Rack applications using Ruby 3.2 or newer are unaffected. This vulnerability is f
ghsanvdosv
CVE-2023-27530P3HIGHCVSS 7.5fixed in 2.0.9.3≥ 2.1.0, < 2.1.4.3+2 more2023-03-10
CVE-2023-27530 [HIGH] CWE-400 CVE-2023-27530: A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multi
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to cause multipart parsing to take longer than expected.
ghsanvdosv
1 / 3Next →