Plattform
ruby
Komponente
rack
Behoben in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34763 affects versions of the Ruby Rack library up to 2.2.9. This vulnerability stems from improper handling of regular expression metacharacters within the root configuration parameter of Rack::Directory. An attacker could leverage this to expose sensitive filesystem paths through directory listings, potentially leading to information disclosure.
The core of the vulnerability lies in how Rack::Directory constructs the path displayed in directory listings. The root configuration parameter, intended to define the base directory for the listing, is directly interpolated into a regular expression. If this root parameter contains characters like +, *, or ., which have special meaning in regular expressions, the path stripping logic can fail. This failure can result in the HTML output revealing the complete filesystem path, rather than just the intended subdirectory. An attacker could craft a malicious root value to bypass the intended security boundaries and access files outside the intended scope. This could lead to exposure of configuration files, source code, or other sensitive data. The blast radius is limited to the web application using Rack, but the potential impact of data exposure can be significant.
As of this writing, CVE-2026-34763 is not listed on KEV or EPSS, indicating a low to medium probability of exploitation. No public proof-of-concept (POC) code has been publicly released. The vulnerability was disclosed in April 2026, and active campaigns are not currently known. Monitor security advisories and threat intelligence feeds for any indications of exploitation.
Applications using Rack versions 2.2.9 and earlier are at risk, particularly those that expose directory listing functionality or allow user-controlled configuration of the root parameter. Shared hosting environments where Rack is used and the root path is not carefully managed are also at increased risk.
• ruby / server:
find / -name 'rack-2.2.9*' -type d -print• ruby / server:
grep -r 'Utils.escape_html(path.sub(/\A#{root}/, '')' /usr/local/lib/ruby*/gems*/rack-*/lib/rack/directory.rb• generic web: Inspect directory listing endpoints for unusual file paths or unexpected content. Examine access logs for requests containing regex metacharacters in the directory path.
disclosure
Exploit-Status
EPSS
0.04% (11% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-34763 is to upgrade to Rack version 2.2.23 or later, which includes the necessary sanitization improvements. If upgrading is not immediately feasible, consider implementing a WAF rule to filter requests containing potentially malicious characters in the root parameter. Alternatively, carefully validate and sanitize the root configuration parameter within your Rack application to prevent the inclusion of regex metacharacters. Review your Rack application's configuration to ensure that the root parameter is not derived from user input or any untrusted source. After upgrading, confirm the fix by attempting to access a directory listing with a crafted root parameter containing regex metacharacters; the listing should not reveal the full filesystem path.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o superior, según corresponda a su rama de versión. Esto solucionará la vulnerabilidad de interpolación de expresiones regulares no escapadas en Rack::Directory.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-34763 is a medium-severity vulnerability in Ruby Rack versions up to 2.2.9. It allows attackers to potentially expose filesystem paths through directory listings due to improper sanitization of the 'root' configuration parameter.
You are affected if you are using Ruby Rack version 2.2.9 or earlier. Check your Rack version and upgrade if necessary.
Upgrade to Ruby Rack version 2.2.23 or later to mitigate the vulnerability. Consider WAF rules as a temporary workaround if an upgrade is not immediately possible.
There is currently no evidence of active exploitation, but the vulnerability's nature suggests it could be exploited once a proof-of-concept is developed.
Refer to the Ruby Rack project's official website and security advisories for the latest information and updates regarding CVE-2026-34763.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.
Lade deine Gemfile.lock-Datei hoch und wir sagen dir sofort, ob du betroffen bist.