平台
ruby
组件
rack
修复版本
2.2.23
3.0.1
3.2.1
2.2.22
CVE-2026-25500 describes a client-side Cross-Site Scripting (XSS) vulnerability within the Ruby Rack::Directory component. This vulnerability arises when Rack generates HTML directory listings and a file with a basename starting with 'javascript:' is present. Clicking the resulting link executes arbitrary JavaScript in the context of the hosting application, potentially leading to session hijacking or defacement. The vulnerability affects Rack versions 2.2.9 and earlier, with a fix available in version 2.2.22.
An attacker can exploit this vulnerability by placing a specially crafted file (e.g., javascript:alert(1)) within a directory served by Rack::Directory. When a user navigates to the directory listing, clicking the link associated with this file will execute the embedded JavaScript. This allows the attacker to steal session cookies, redirect the user to a malicious website, or inject arbitrary content into the page. The impact is primarily client-side, but the consequences can be severe depending on the application's functionality and the user's privileges. The blast radius is limited to users accessing the affected directory listings, but the potential for widespread compromise exists if the application is publicly accessible.
CVE-2026-25500 was publicly disclosed on 2026-02-17. No public proof-of-concept exploits are currently known, but the vulnerability's simplicity suggests that one could be developed relatively easily. It is not currently listed on CISA KEV. The EPSS score is likely to be low to medium, given the lack of public exploits and the client-side nature of the vulnerability.
Applications built using Ruby and Rack that serve directory listings are at risk. This includes web applications that rely on Rack::Directory for generating HTML directory indexes. Shared hosting environments where users have the ability to upload files to a publicly accessible directory are particularly vulnerable.
• ruby / server:
find /path/to/ruby/app -name '*javascript:*' -type f• generic web:
curl -I http://your-rack-app.com/directory/ | grep href | grep javascriptdisclosure
漏洞利用状态
EPSS
0.02% (6% 百分位)
CISA SSVC
CVSS 向量
The primary mitigation for CVE-2026-25500 is to upgrade to Rack version 2.2.22 or later, which includes a fix for this vulnerability. If upgrading is not immediately feasible, consider implementing a workaround by sanitizing filenames before they are displayed in directory listings. This could involve filtering out filenames that begin with 'javascript:' or using a different method for generating directory listings. Web Application Firewalls (WAFs) configured to detect and block JavaScript injection attempts could also provide some protection. Regularly scan your Ruby applications for known vulnerabilities using tools like Bundler Audit.
Actualice la gema Rack a la versión 2.2.22 o superior, 3.1.20 o superior, o 3.2.5 o superior. Esto solucionará la vulnerabilidad de Cross-Site Scripting (XSS) almacenado en Rack::Directory. Ejecute `gem update rack` para actualizar a la última versión segura.
漏洞分析和关键警报直接发送到您的邮箱。
CVE-2026-25500 is a client-side XSS vulnerability in Ruby's Rack::Directory component. It allows malicious filenames starting with 'javascript:' to execute arbitrary JavaScript when clicked in directory listings.
You are affected if you are using Rack version 2.2.9 or earlier and serve directory listings using Rack::Directory.
Upgrade to Rack version 2.2.22 or later to resolve the vulnerability. As a temporary workaround, sanitize filenames before displaying them in directory listings.
No active exploitation has been confirmed at this time, but the vulnerability's simplicity suggests it could be exploited.
Refer to the Ruby security advisory for CVE-2026-25500 for detailed information and updates: [https://ruby-sec.io/](https://ruby-sec.io/)
上传你的依赖文件,立即了解此CVE和其他CVE是否影响你。
上传你的 Gemfile.lock 文件,立即知道是否受影响。