Rack has a Directory Traversal via Rack:Directory
GHSA-mxw3-3hh2-x2mh · CVE-2026-22860
Published · Modified
Description
Summary
Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.
Details
In directory.rb, File.expand_path(File.join(root, path_info)).start_with?(root) does not enforce a path boundary. If the server root is /var/www/root, a path like /var/www/root_backup passes the check because it shares the same prefix, so Rack::Directory will list that directory also.
Impact
Information disclosure via directory listing outside the configured root when Rack::Directory is exposed to untrusted clients and a directory shares the root prefix (e.g., public2, www_backup).
Mitigation
- Update to a patched version of Rack that correctly checks the root prefix.
- Don't name directories with the same prefix as one which is exposed via
Rack::Directory.
References
- WEB https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
- ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2026-22860
- WEB https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
- PACKAGE https://github.com/rack/rack
- WEB https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
Ready to move
Start Securing
Free, no credit card | First findings in minutes