CVE-2026-25500
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme (e.g. javascript:alert(1)), the generated index contains an anchor whose href is exactly javascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated with alert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| rack | rack | < 2.2.22 | affected |
| rack | rack | >= 3.0.0.beta1, < 3.1.20 | affected |
| rack | rack | >= 3.2.0, < 3.2.5 | affected |
Weaknesses
- CWE-79: CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
ADP Enrichment
CISA ADP Vulnrichment
- SSVC:
- Exploitation: none
- Automatable: no
- Technical Impact: partial
References
- https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
- https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.