FKIE_CVE-2026-22860

Vulnerability from fkie_nvd - Published: 2026-02-18 19:21 - Updated: 2026-02-19 18:27
Severity ?
7.5 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Summary
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`’s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
References
security-advisories@github.comhttps://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7Patch
security-advisories@github.comhttps://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mhExploit, Mitigation, Vendor Advisory
Impacted products
Vendor Product Version
rack rack *
rack rack *
rack rack *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "58D73D7A-523C-4472-9322-87B5E7A785CA",
              "versionEndExcluding": "2.2.22",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "76491EC1-2EA1-492E-97B2-2427EDFB0E07",
              "versionEndExcluding": "3.1.20",
              "versionStartIncluding": "3.0.0",
              "vulnerable": true
            },
            {
              "criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*",
              "matchCriteriaId": "653A4AF6-055E-46F2-992E-C6624BBF8A25",
              "versionEndExcluding": "3.2.5",
              "versionStartIncluding": "3.2.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory`\u2019s path check used a string prefix match on the expanded path. A request like `/../root_example/` can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root. Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."
    },
    {
      "lang": "es",
      "value": "Rack es una interfaz modular de servidor web Ruby. Antes de las versiones 2.2.22, 3.1.20 y 3.2.5, la verificaci\u00f3n de ruta de \u0027Rack::Directory\u0027 utilizaba una coincidencia de prefijo de cadena en la ruta expandida. Una solicitud como \u0027/../root_example/\u0027 puede escapar de la ra\u00edz configurada si la ruta de destino comienza con la cadena ra\u00edz, permitiendo la enumeraci\u00f3n de directorios fuera de la ra\u00edz prevista. Las versiones 2.2.22, 3.1.20 y 3.2.5 solucionan el problema."
    }
  ],
  "id": "CVE-2026-22860",
  "lastModified": "2026-02-19T18:27:09.117",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 7.5,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "NONE",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 3.6,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-18T19:21:43.933",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Patch"
      ],
      "url": "https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Exploit",
        "Mitigation",
        "Vendor Advisory"
      ],
      "url": "https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-22"
        },
        {
          "lang": "en",
          "value": "CWE-548"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.