Platform
ruby
Component
rack
Fixed in
2.2.14
3.0.1
3.1.1
2.2.13
CVE-2025-27610 describes a path traversal vulnerability within the Ruby Rack::Static library. This flaw allows attackers to potentially access files beyond the intended static file directory, leading to unauthorized data exposure. The vulnerability affects versions of Rack::Static up to and including 2.2.9. A fix is available in version 2.2.13.
The core of the vulnerability lies in Rack::Static's inadequate sanitization of user-supplied paths. Attackers can leverage encoded path traversal sequences (e.g., ../) to bypass intended restrictions and access files located outside the designated static file directory. This could expose sensitive configuration files, source code, or other data stored on the server. The potential impact is significant, as an attacker could gain a broad view of the server's file system, potentially leading to further exploitation and compromise. This vulnerability shares similarities with other path traversal flaws, where improper input validation allows attackers to navigate the file system beyond intended boundaries.
CVE-2025-27610 was publicly disclosed on March 10, 2025. The vulnerability's severity is rated HIGH with a CVSS score of 7.5. Currently, there are no known active exploitation campaigns targeting this specific vulnerability. Public proof-of-concept (PoC) code is not widely available, but the nature of path traversal vulnerabilities makes it likely that PoCs will emerge. Monitor security advisories and threat intelligence feeds for updates.
Exploit Status
EPSS
0.41% (62% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-27610 is to upgrade to Rack::Static version 2.2.13 or later, which includes the necessary fix. If an immediate upgrade is not feasible due to compatibility issues, consider implementing a Web Application Firewall (WAF) rule to block requests containing suspicious path traversal sequences. Additionally, carefully review and restrict the root: configuration setting in Rack::Static to minimize the potential attack surface. Regularly scan your Ruby applications for outdated Rack dependencies using tools like Bundler audit. After upgrading, confirm the fix by attempting to access files outside the intended static directory; access should be denied.
Update the `rack` gem to version 2.2.13, 3.0.14, 3.1.12 or higher. Alternatively, remove usage of `Rack::Static` or ensure that `root:` points to a directory that only contains files that should be publicly accessible. Using a CDN or similar static file server may also mitigate the problem.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-27610 is a path traversal vulnerability in Rack::Static versions 2.2.9 and below, allowing attackers to access files beyond the intended static directory.
You are affected if your application uses Rack::Static version 2.2.9 or earlier. Check your gem dependencies to determine if you are vulnerable.
Upgrade to Rack::Static version 2.2.13 or later to resolve the vulnerability. Consider WAF rules as a temporary mitigation if an upgrade is not immediately possible.
Currently, there are no confirmed reports of active exploitation, but the vulnerability's nature makes it a potential target.
Refer to the official Rack project website and Ruby security advisories for the latest information and updates regarding CVE-2025-27610.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.