What vulnerabilities were found in the Rack Ruby framework?

Researchers from OPSWAT identified three security vulnerabilities in the Rack Ruby framework: CVE-2025-27610 (CVSS score: 7.5): A path traversal vulnerability in Rack::Static middleware CVE-2025-27111 (CVSS score: 6.9): An improper neutralization of CRLF sequences vulnerability CVE-2025-25184 (CVSS score: 5.7): Another CRLF injection vulnerability

What can attackers do with the CVE-2025-27610 vulnerability?

The path traversal vulnerability (CVE-2025-27610) could allow unauthenticated attackers to access files outside the designated static file directory. Attackers could potentially retrieve sensitive information including configuration files, credentials, and confidential data.

What is the impact of the CRLF vulnerabilities (CVE-2025-27111 and CVE-2025-25184)?

The CRLF vulnerabilities allow attackers to manipulate log entries and distort log files. CVE-2025-27111 involves improper neutralization of CRLF sequences, while CVE-2025-25184 enables attackers to manipulate log content through malicious header values.

How does the path traversal vulnerability work?

The vulnerability occurs in the request handling process: When Rack::Static receives an HTTP request, the `call` method is invoked The middleware checks if the request matches configured URL prefixes using `can_serve(path)` and `overwrite_file_path(path)` If matched, it constructs a file path by combining the `:root` directory with the user-supplied `PATH_INFO` This construction lacks proper path normalization or sanitization If `PATH_INFO` contains directory traversal sequences (e.g., `../`), the resolved path could point to files outside the intended directory

How can users mitigate these vulnerabilities?

To address these vulnerabilities, users should: Update to the latest version of Rack If immediate patching isn't possible, remove usage of Rack::Static

Advisory

Multiple vulnerabilities reported in Rack Ruby Framework

Q: Which vulnerability poses the most significant risk?

CVE-2025-27610 (with a CVSS score of 7.5) poses the most significant risk. This path traversal vulnerability could enable attackers to retrieve sensitive information including configuration files, credentials, and confidential data, potentially leading to serious data breaches.

published: April 25, 2025

Take action: Check your Ruby code for the Rack Ruby framework. If you are using it and you are using Rack::Static your site is at risk. Update the Rack Ruby framework or stop using Rack::Static in your code.

Learn More

Security researchers are reporting several vulnerabilities in the Rack Ruby framework that could allow attackers to access sensitive files outside intended directories.

Researchers from OPSWAT have identified three security vulnerabilities in the Rack Ruby framework:

CVE-2025-27610 (CVSS score: 7.5): A path traversal vulnerability in Rack::Static middleware that could allow unauthenticated attackers to access files outside the designated static file directory
CVE-2025-27111 (CVSS score: 6.9): An improper neutralization of CRLF sequences vulnerability allowing attackers to manipulate log entries and distort log files
CVE-2025-25184 (CVSS score: 5.7): Another CRLF injection vulnerability enabling attackers to manipulate log content through malicious header values

Of these vulnerabilities, CVE-2025-27610 poses the most significant risk as it could enable attackers to retrieve sensitive information including configuration files, credentials, and confidential data, potentially leading to serious data breaches.

The path traversal vulnerability in Rack::Static stems from improper handling of the :root option. When this parameter is not explicitly defined, Rack defaults to using the current working directory (Dir.pwd) as the web root. The middleware then directly concatenates incoming URL paths with this directory without sufficient validation or sanitization.

The issue occurs in the request handling process:

When Rack::Static receives an HTTP request, the call method is invoked
The middleware checks if the request matches configured URL prefixes using can_serve(path) and overwrite_file_path(path)
If matched, it constructs a file path by combining the :root directory with the user-supplied PATH_INFO
This construction lacks proper path normalization or sanitization
If PATH_INFO contains directory traversal sequences (e.g., ../), the resolved path could point to files outside the intended directory

To address these vulnerabilities, users should:

Update to the latest version of Rack
If immediate patching isn't possible remove usage of Rack::Static

Multiple vulnerabilities reported in Rack Ruby Framework

Read More
Jenkins warns of critical flaw exposing servers to …
TeamPCP Compromises Telnyx Python SDK on PyPI Using …
Critical vulnerability reported in Langflow AI Builder enabling …
Cascading GitHub action supply chain attacks: reviewdog/action-setup leads …
Critical remote code execution vulnerabilities reported in React …