Plattform
ruby
Komponente
rack
Behoben in
2.2.14
3.0.1
3.1.1
2.2.13
CVE-2025-27610 describes a path traversal vulnerability within the Ruby Rack::Static library. This flaw allows attackers to potentially access files beyond the intended static file directory, leading to unauthorized data exposure. The vulnerability affects versions of Rack::Static up to and including 2.2.9. A fix is available in version 2.2.13.
The core of the vulnerability lies in Rack::Static's inadequate sanitization of user-supplied paths. Attackers can craft malicious requests containing encoded path traversal sequences (e.g., ../) that bypass validation and allow them to navigate the file system. This effectively grants them access to files located outside the designated static file root. The potential impact is significant, as an attacker could retrieve sensitive configuration files, source code, or other confidential data stored on the server. The blast radius extends to any application utilizing Rack::Static to serve static content, making it a widespread concern.
CVE-2025-27610 was publicly disclosed on March 10, 2025. No known public proof-of-concept exploits are currently available, but the vulnerability's nature makes it likely that such exploits will emerge. Its severity and ease of exploitation suggest a medium probability of exploitation (EPSS score likely medium). It is not currently listed on the CISA KEV catalog.
Applications using Rack::Static for serving static content, particularly those deployed in production environments, are at risk. Shared hosting environments where multiple applications share the same server and file system are especially vulnerable, as a compromise of one application could potentially expose files belonging to others. Legacy applications using older versions of Rack::Static are also at increased risk.
• ruby / gem: Use gem list to check for Rack::Static versions. Look for versions <= 2.2.9.
gem list rack-static• linux / server: Examine web server access logs for requests containing path traversal sequences (e.g., ../).
grep '../' /var/log/nginx/access.log• generic web: Use curl to attempt accessing files outside the intended static directory. If successful, the vulnerability is present.
curl http://your-server/../../../../etc/passwddisclosure
Exploit-Status
EPSS
0.41% (62% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2025-27610 is to upgrade to Rack::Static version 2.2.13 or later, which includes the necessary fix. If an immediate upgrade is not feasible due to compatibility issues or breaking changes, consider implementing a temporary workaround by carefully validating and sanitizing all user-supplied paths before passing them to Rack::Static. This could involve implementing strict whitelisting of allowed file extensions or using a more robust path sanitization library. Additionally, review web server configurations to ensure that access to the static file root is restricted to authorized users and processes. After upgrading, confirm the fix by attempting to access files outside the intended static directory via a web browser or other HTTP client; access should be denied.
Actualice la gema `rack` a la versión 2.2.13, 3.0.14 o 3.1.12 o superior. Alternativamente, elimine el uso de `Rack::Static` o asegúrese de que `root:` apunte a un directorio que solo contenga archivos que deban ser accesibles públicamente. El uso de un CDN o un servidor de archivos estáticos similar también podría mitigar el problema.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2025-27610 is a path traversal vulnerability in Rack::Static versions 2.2.9 and below, allowing attackers to access files beyond the intended static directory.
You are affected if your application uses Rack::Static version 2.2.9 or earlier. Check your gem dependencies to determine if you are vulnerable.
Upgrade to Rack::Static version 2.2.13 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if an upgrade is not immediately possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official Rack project website and Ruby security advisories for the latest information and updates regarding CVE-2025-27610.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.