Platform
ruby
Component
rack
Fixed in
2.2.23
3.0.1
3.2.1
2.2.22
CVE-2026-25500 describes a client-side Cross-Site Scripting (XSS) vulnerability within the Ruby Rack::Directory component. This vulnerability arises when Rack generates HTML directory listings and a file with a basename starting with 'javascript:' is present. Clicking the resulting link executes arbitrary JavaScript in the context of the hosting application, potentially leading to session hijacking or defacement. The vulnerability affects Rack versions 2.2.9 and earlier, with a fix available in version 2.2.22.
An attacker can exploit this vulnerability by placing a specially crafted file (e.g., javascript:alert(1)) within a directory served by Rack::Directory. When a user navigates to the directory listing, clicking the link associated with this file will execute the embedded JavaScript. This allows the attacker to steal session cookies, redirect the user to a malicious website, or inject arbitrary content into the page. The impact is primarily client-side, but the consequences can be severe depending on the application's functionality and the user's privileges. The blast radius is limited to users accessing the affected directory listings, but the potential for widespread compromise exists if the application is publicly accessible.
CVE-2026-25500 was publicly disclosed on 2026-02-17. No public proof-of-concept exploits are currently known, but the vulnerability's simplicity suggests that one could be developed relatively easily. It is not currently listed on CISA KEV. The EPSS score is likely to be low to medium, given the lack of public exploits and the client-side nature of the vulnerability.
Exploit Status
EPSS
0.02% (6% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2026-25500 is to upgrade to Rack version 2.2.22 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a workaround by sanitizing filenames before they are displayed in directory listings. This could involve filtering out filenames that begin with 'javascript:' or using a different method for generating directory listings. Web Application Firewalls (WAFs) configured to detect and block JavaScript injection attempts could also provide some protection. Regularly scan your Ruby applications for known vulnerabilities using tools like Bundler Audit.
Update the Rack gem to version 2.2.22 or higher, 3.1.20 or higher, or 3.2.5 or higher. This will fix the Stored Cross-Site Scripting (XSS) vulnerability in Rack::Directory. Run `gem update rack` to update to the latest secure version.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-25500 is a client-side XSS vulnerability in Ruby's Rack::Directory component. It allows malicious filenames starting with 'javascript:' to execute arbitrary JavaScript when clicked in directory listings.
You are affected if you are using Rack version 2.2.9 or earlier and serve directory listings using Rack::Directory.
Upgrade to Rack version 2.2.22 or later to resolve the vulnerability. As a temporary workaround, sanitize filenames before displaying them in directory listings.
No active exploitation has been confirmed at this time, but the vulnerability's simplicity suggests it could be exploited.
Refer to the Ruby security advisory for CVE-2026-25500 for detailed information and updates: [https://ruby-sec.io/](https://ruby-sec.io/)
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.
Upload your Gemfile.lock file and we'll tell you instantly if you're affected.