Platform
ruby
Component
rack
Fixed in
2.2.21
3.0.1
3.2.1
2.2.20
A vulnerability has been identified in the Rack library, specifically within the Rack::Sendfile middleware, affecting versions up to 2.2.9. This information disclosure vulnerability arises when Rack is deployed behind a proxy server that utilizes x-sendfile headers. Maliciously crafted headers can trick Rack into sending internal requests, potentially circumventing proxy-level access controls. A fix is available in version 2.2.20.
The core of this vulnerability lies in Rack's handling of x-sendfile-type and x-accel-mapping headers. When these headers, typically used for proxy acceleration, are received from an untrusted source (e.g., a client), Rack incorrectly interprets them as proxy configuration directives. This misinterpretation allows an attacker to manipulate Rack's behavior, causing it to send redirect responses to internal resources that would normally be protected by the proxy. The potential impact includes unauthorized access to sensitive data or internal services that are not directly exposed to the internet. While not a direct remote code execution (RCE) vulnerability, the ability to bypass proxy restrictions can significantly expand an attacker's reach within a network.
This vulnerability was publicly disclosed on 2025-10-10. There is currently no indication of active exploitation campaigns targeting this vulnerability. No public proof-of-concept (PoC) code has been released. The vulnerability's impact is contingent on the presence of a proxy server using x-sendfile headers, which limits its applicability. Its severity is rated as medium.
Exploit Status
EPSS
0.03% (10% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-61780 is to upgrade to Rack version 2.2.20 or later, which includes the fix for this information disclosure vulnerability. If upgrading is not immediately feasible, consider implementing stricter input validation on the proxy server to sanitize or reject potentially malicious x-sendfile headers. Web application firewalls (WAFs) configured to inspect and filter HTTP headers can also provide a layer of defense. Monitor proxy access logs for unusual redirect patterns or requests to internal resources. After upgrading, confirm the fix by sending a crafted x-sendfile header and verifying that Rack no longer attempts to send an internal redirect.
Update the Rack gem to version 2.2.20 or higher. Alternatively, configure your proxy to always set or remove the `x-sendfile-type` and `x-accel-mapping` headers. In Rails applications, you can disable sendfile completely.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-61780 is an information disclosure vulnerability in Rack versions 2.2.9 and below. Malicious headers can bypass proxy access controls, potentially exposing internal resources.
You are affected if you are using Rack version 2.2.9 or earlier and your application is deployed behind a proxy server that uses x-sendfile headers.
Upgrade to Rack version 2.2.20 or later to resolve this vulnerability. Consider implementing stricter input validation on your proxy server as an interim measure.
There is currently no evidence of active exploitation campaigns targeting CVE-2025-61780.
Refer to the official Rack project website and security advisories for the latest information and updates regarding CVE-2025-61780.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.