EUVD-2026-18382
GHSA-h2jq-g4cq-5ppq
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
4Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.
Analysis
Information disclosure in Rack web server interface (versions <2.2.23, <3.1.21, <3.2.6) allows unauthenticated remote attackers to access sensitive files due to flawed prefix matching in Rack::Static. The vulnerability enables access to unintended files sharing configured URL prefixes (e.g., '/css' matching '/css-backup.sql'), exposing configuration files, database backups, or environment variables. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Inventory all Rack installations and identify versions below 2.2.23, 3.1.21, and 3.2.6; assess which applications use Rack::Static with overlapping URL prefixes. Within 7 days: Implement compensating controls (see below) and begin upgrade planning to Rack 2.2.23, 3.1.21, or 3.2.6 or later depending on your version line. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today