rack (rubygems) security advisories

MEDIUM 4.8

RubyGems

CVE-2026-32762

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Apr 2, 2026

MEDIUM 4.8

RubyGems

CVE-2026-34835

Rack::Request accepts invalid Host characters, enabling host allowlist bypass

Apr 2, 2026

MEDIUM 4.8

RubyGems

CVE-2026-34831

Rack has Content-Length mismatch in Rack::Files error responses

Apr 2, 2026

MEDIUM 4.8

RubyGems

CVE-2026-26962

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

Apr 2, 2026

MEDIUM 5.9

RubyGems

CVE-2026-34830

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Apr 2, 2026

HIGH 7.5

RubyGems

CVE-2026-34230

Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

Apr 2, 2026

HIGH 7.5

RubyGems

CVE-2026-34829

Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads

Apr 2, 2026

MEDIUM 5.3

RubyGems

CVE-2026-26961

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.

Apr 2, 2026

MEDIUM 5.3

RubyGems

CVE-2026-34763

Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory

Apr 2, 2026

HIGH 7.5

RubyGems

CVE-2026-34827

Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters

Apr 2, 2026

MEDIUM 5.3

RubyGems

CVE-2026-34826

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges

Apr 2, 2026

MEDIUM 5.3

RubyGems

CVE-2026-34786

Rack:: Static header_rules bypass via URL-encoded paths

Apr 2, 2026

HIGH 7.5

RubyGems

CVE-2026-34785

Rack::Static prefix matching can expose unintended files under the static root

Apr 2, 2026

MEDIUM 4.2

RubyGems

CVE-2025-32441

Rack session gets restored after deletion

May 8, 2025

HIGH 7.5

RubyGems

CVE-2025-59830

Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Sep 25, 2025

MEDIUM 6.3

RubyGems

CVE-2019-16782

Possible Information Leak / Session Hijack Vulnerability in Rack

Dec 18, 2019

MEDIUM 5.4

RubyGems

CVE-2026-25500

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Feb 17, 2026

HIGH 7.5

RubyGems

CVE-2026-22860

Rack has a Directory Traversal via Rack:Directory

Feb 17, 2026

HIGH 7.5

RubyGems

CVE-2025-61771

Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Oct 7, 2025

HIGH 7.5

RubyGems

CVE-2025-61919

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

Oct 10, 2025

UNKNOWN

RubyGems

CVE-2025-27111

Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

Mar 4, 2025

MEDIUM 5.8

RubyGems

CVE-2025-61780

Rack has a Possible Information Disclosure Vulnerability

Oct 10, 2025

HIGH 7.5

RubyGems

CVE-2025-61772

Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)

Oct 7, 2025

HIGH 7.5

RubyGems

CVE-2025-46727

Rack has an Unbounded-Parameter DoS in Rack::QueryParser

May 8, 2025

MEDIUM 5.3

RubyGems

CVE-2024-25126

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Feb 28, 2024

UNKNOWN

RubyGems

CVE-2024-26141

Rack has possible DoS Vulnerability with Range Header

Feb 28, 2024

HIGH 7.5

RubyGems

CVE-2025-27610

Local File Inclusion in Rack::Static

Mar 10, 2025

MEDIUM 6.5

RubyGems

CVE-2024-39316

Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Jul 3, 2024

MEDIUM 6.5

RubyGems

CVE-2025-25184

Possible Log Injection in Rack::CommonLogger

Feb 12, 2025

UNKNOWN

RubyGems

CVE-2024-26146

Rack Header Parsing leads to Possible Denial of Service Vulnerability

Feb 28, 2024

HIGH 7.5

RubyGems

CVE-2025-61770

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

Oct 7, 2025

UNKNOWN

RubyGems

CVE-2025-49007

ReDoS Vulnerability in Rack::Multipart handle_mime_head

Jun 5, 2025

HIGH 7.5

RubyGems

CVE-2022-44570

Denial of service via header parsing in Rack

Jan 18, 2023

HIGH 7.5

RubyGems

CVE-2023-27530

Rack has possible DoS Vulnerability in Multipart MIME parsing

Mar 8, 2023

UNKNOWN

RubyGems

CVE-2023-27539

Possible Denial of Service Vulnerability in Rack's header parsing

Mar 15, 2023

UNKNOWN

RubyGems

CVE-2013-0184

Rack vulnerable to Denial of Service

May 5, 2022

UNKNOWN

RubyGems

CVE-2013-0263

Rack arbitrary code execution via timing attack

May 5, 2022

UNKNOWN

RubyGems

CVE-2013-0183

Rack rubygems receiving excessively long lines triggers out-of-memory error

Oct 24, 2017

UNKNOWN

RubyGems

CVE-2015-3225

Rack vulnerable to Denial of Service via large parameter depth request

Oct 24, 2017

UNKNOWN

RubyGems

GHSA-9vc2-p34x-jhxh

Moderate severity vulnerability that affects rack

Sep 17, 2018

UNKNOWN

RubyGems

CVE-2022-44572

Denial of service via multipart parsing in Rack

Jan 18, 2023

UNKNOWN

RubyGems

CVE-2022-44571

Denial of Service Vulnerability in Rack Content-Disposition parsing

Jan 18, 2023

UNKNOWN

RubyGems

CVE-2011-5036

Rack Gem Subject to Denial of Service via Hash Collisions

May 17, 2022

UNKNOWN

RubyGems

CVE-2012-6109

Rack vulnerable to REDoS

Oct 24, 2017

UNKNOWN

RubyGems

CVE-2013-0262

Rack Vulnerable to Path Traversal

Oct 24, 2017

HIGH 8.6

RubyGems

CVE-2020-8161

Directory traversal in Rack::Directory app bundled with Rack

Jul 6, 2020

CRITICAL 10.0

RubyGems

CVE-2022-30123

Possible shell escape sequence injection vulnerability in Rack

May 27, 2022

HIGH 7.5

RubyGems

CVE-2022-30122

Denial of Service Vulnerability in Rack Multipart Parsing

May 27, 2022

MEDIUM 6.1

RubyGems

CVE-2018-16471

Rack vulnerable to Cross-site Scripting

Nov 15, 2018

HIGH 7.5

RubyGems

CVE-2020-8184

Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names

Jun 24, 2020

HIGH 7.5

RubyGems

CVE-2018-16470

Rack vulnerable to Denial of Service

Nov 15, 2018

rack

Vulnerabilities

Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing

Rack::Request accepts invalid Host characters, enabling host allowlist bypass

Rack has Content-Length mismatch in Rack::Files error responses

Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header

Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads

Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.

Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory

Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters

Rack's multipart byte range processing allows denial of service via excessive overlapping ranges

Rack:: Static header_rules bypass via URL-encoded paths

Rack::Static prefix matching can expose unintended files under the static root

Rack session gets restored after deletion

Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters

Possible Information Leak / Session Hijack Vulnerability in Rack

Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Rack has a Directory Traversal via Rack:Directory

Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)

Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing

Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection

Rack has a Possible Information Disclosure Vulnerability

Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)

Rack has an Unbounded-Parameter DoS in Rack::QueryParser

Rack vulnerable to ReDoS in content type parsing (2nd degree polynomial)

Rack has possible DoS Vulnerability with Range Header

Local File Inclusion in Rack::Static

Rack ReDoS Vulnerability in HTTP Accept Headers Parsing

Possible Log Injection in Rack::CommonLogger

Rack Header Parsing leads to Possible Denial of Service Vulnerability

Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)

ReDoS Vulnerability in Rack::Multipart handle_mime_head

Denial of service via header parsing in Rack

Rack has possible DoS Vulnerability in Multipart MIME parsing

Possible Denial of Service Vulnerability in Rack's header parsing

Rack vulnerable to Denial of Service

Rack arbitrary code execution via timing attack

Rack rubygems receiving excessively long lines triggers out-of-memory error

Rack vulnerable to Denial of Service via large parameter depth request

Moderate severity vulnerability that affects rack

Denial of service via multipart parsing in Rack

Denial of Service Vulnerability in Rack Content-Disposition parsing

Rack Gem Subject to Denial of Service via Hash Collisions

Rack vulnerable to REDoS

Rack Vulnerable to Path Traversal

Directory traversal in Rack::Directory app bundled with Rack

Possible shell escape sequence injection vulnerability in Rack

Denial of Service Vulnerability in Rack Multipart Parsing

Rack vulnerable to Cross-site Scripting

Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names

Rack vulnerable to Denial of Service

Start Securing