Platform
ruby
Component
rack
Opgelost in
2.2.24
3.0.1
3.2.1
2.2.23
CVE-2026-34785 describes an information disclosure vulnerability within the Ruby rack library's Rack::Static component. This flaw stems from an insufficient check when determining whether a request should be served as a static file, potentially exposing sensitive files under the static root. Versions of rack prior to 2.2.23 are affected, and a fix has been released. This vulnerability allows attackers to potentially access files they shouldn't.
The vulnerability lies in how Rack::Static matches request paths against configured URL prefixes. If a file's name shares a prefix with a configured URL (e.g., /css and a file named /css-config.env), it may be unintentionally served. This can lead to the exposure of sensitive configuration files, database backups, or other confidential data. The potential impact is significant, as an attacker could gain access to critical application data without authentication. The blast radius extends to any application utilizing Rack::Static for serving static assets, particularly those with poorly configured static root directories or sensitive files named with common prefixes.
CVE-2026-34785 was publicly disclosed on April 2, 2026. There is currently no indication of active exploitation or a KEV listing. Public proof-of-concept code is not yet available, but the vulnerability's simplicity suggests it could be easily exploited. The CVSS score of 7.5 (HIGH) reflects the potential for significant data exposure.
Applications built with Ruby on Rails or other Ruby frameworks that rely on the rack library for serving static assets are at risk. This includes web applications deployed on cloud platforms, containerized environments, and legacy systems using older versions of rack. Shared hosting environments where the rack library is managed at the server level are also particularly vulnerable.
• ruby / server:
find /path/to/your/app -name rack-static.rb -print0 | xargs -0 grep -i "Rack::Static.new"• ruby / server:
journalctl -u your_ruby_app | grep -i "Rack::Static"• generic web:
Use a web proxy or browser developer tools to attempt accessing files under the static root with crafted URLs (e.g., /css-config.env).
• generic web:
Review access logs for requests to unusual files within the static root directory.
disclosure
Exploit Status
EPSS
0.04% (12% percentiel)
CISA SSVC
CVSS-vector
The primary mitigation is to upgrade to version 2.2.23 or later of the rack library. This version includes a fix that addresses the flawed prefix check. If upgrading is not immediately feasible, consider implementing a WAF rule to block requests for files with suspicious names or extensions within the static root directory. Additionally, review your application's static root directory and rename any sensitive files to avoid sharing prefixes with configured URL routes. After upgrading, confirm the fix by attempting to access a file that previously triggered the vulnerability using a crafted URL.
Actualice la gema Rack a la versión 2.2.23, 3.1.21 o 3.2.6, o a una versión posterior. Esto corrige la vulnerabilidad de inclusión de archivos locales en `Rack::Static` debido a la coincidencia de prefijos de URL. Ejecute `bundle update rack` para actualizar la gema en su proyecto.
Kwetsbaarheidsanalyses en kritieke waarschuwingen direct in uw inbox.
CVE-2026-34785 is a HIGH severity vulnerability in Ruby Rack versions ≤2.2.9 where a flawed prefix check can lead to unintended file exposure.
If you are using Ruby Rack versions 2.2.9 or earlier, you are potentially affected. Check your application's dependencies to confirm.
Upgrade to version 2.2.23 or later of the rack library. This resolves the flawed prefix check.
There is currently no evidence of active exploitation, but the vulnerability's simplicity suggests it could be easily exploited.
Refer to the Ruby Rack project's official website and security advisories for the latest information: https://rack.rubyforge.org/
Upload je dependency-bestand en kom direct te weten of deze en andere CVEs jou raken.
Upload je Gemfile.lock-bestand en we vertellen je direct of je getroffen bent.