GHSA-7MQQ-6CF9-V2QP
Vulnerability from github – Published: 2026-04-02 20:32 – Updated: 2026-04-02 20:32Summary
Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output.
Details
Rack::Directory::DirectoryBody#each computes the visible path using code equivalent to:
show_path = Utils.escape_html(path.sub(/\A#{root}/, ''))
Here, root is a developer-configured filesystem path. It is normalized earlier with File.expand_path(root) and then inserted directly into a regular expression without escaping.
Because the value is treated as regex syntax rather than as a literal string, metacharacters in the configured path can change how the prefix match behaves. When that happens, the expected root prefix is not removed from path, and the absolute filesystem path is rendered into the HTML directory listing.
Impact
If Rack::Directory is configured to serve a directory whose absolute path contains regex metacharacters, the generated directory listing may disclose the full server filesystem path instead of only the request-relative path.
This can expose internal deployment details such as directory layout, usernames, mount points, or naming conventions that would otherwise not be visible to clients.
Mitigation
- Update to a patched version of Rack in which the root prefix is removed using an escaped regular expression.
- Avoid using
Rack::Directorywith a root path that contains regular expression metacharacters.
{
"affected": [
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.23"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0.beta1"
},
{
"fixed": "3.1.21"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "RubyGems",
"name": "rack"
},
"ranges": [
{
"events": [
{
"introduced": "3.2.0"
},
{
"fixed": "3.2.6"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34763"
],
"database_specific": {
"cwe_ids": [
"CWE-625"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-02T20:32:42Z",
"nvd_published_at": "2026-04-02T17:16:24Z",
"severity": "MODERATE"
},
"details": "## Summary\n\n`Rack::Directory` interpolates the configured `root` path directly into a regular expression when deriving the displayed directory path. If `root` contains regex metacharacters such as `+`, `*`, or `.`, the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output.\n\n## Details\n\n`Rack::Directory::DirectoryBody#each` computes the visible path using code equivalent to:\n\n```ruby\nshow_path = Utils.escape_html(path.sub(/\\A#{root}/, \u0027\u0027))\n```\n\nHere, `root` is a developer-configured filesystem path. It is normalized earlier with `File.expand_path(root)` and then inserted directly into a regular expression without escaping.\n\nBecause the value is treated as regex syntax rather than as a literal string, metacharacters in the configured path can change how the prefix match behaves. When that happens, the expected root prefix is not removed from `path`, and the absolute filesystem path is rendered into the HTML directory listing.\n\n## Impact\n\nIf `Rack::Directory` is configured to serve a directory whose absolute path contains regex metacharacters, the generated directory listing may disclose the full server filesystem path instead of only the request-relative path.\n\nThis can expose internal deployment details such as directory layout, usernames, mount points, or naming conventions that would otherwise not be visible to clients.\n\n## Mitigation\n\n* Update to a patched version of Rack in which the root prefix is removed using an escaped regular expression.\n* Avoid using `Rack::Directory` with a root path that contains regular expression metacharacters.",
"id": "GHSA-7mqq-6cf9-v2qp",
"modified": "2026-04-02T20:32:42Z",
"published": "2026-04-02T20:32:42Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34763"
},
{
"type": "PACKAGE",
"url": "https://github.com/rack/rack"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory"
}
Sightings
| Author | Source | Type | Date |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.