Skip to main content

Rack

33 CVEs product

Monthly

CVE-2026-34829 Ruby HIGH PATCH GHSA This Week

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Denial Of Service File Upload Rack
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-34785 Ruby HIGH PATCH GHSA This Week

Information disclosure in Rack web server interface (versions <2.2.23, <3.1.21, <3.2.6) allows unauthenticated remote attackers to access sensitive files due to flawed prefix matching in Rack::Static. The vulnerability enables access to unintended files sharing configured URL prefixes (e.g., '/css' matching '/css-backup.sql'), exposing configuration files, database backups, or environment variables. CVSS 7.5 (High) with network vector and no complexity. No public exploit identified at time of analysis.

Information Disclosure Rack
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-26961 Ruby LOW PATCH GHSA Monitor

Rack's multipart form data parser uses a greedy regular expression that selects the last boundary parameter from a Content-Type header instead of the first, allowing request smuggling when upstream proxies or WAFs interpret the first boundary. This mismatch enables attackers to bypass upstream inspection by crafting multipart requests with duplicate boundary declarations, causing Rack to parse a different body structure than the intermediary validated. Affected versions are Rack prior to 2.2.23, 3.1.21, and 3.2.6; patches are available for all three release branches.

Information Disclosure Rack
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-26962 Ruby MEDIUM PATCH GHSA This Month

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of

Code Injection Rack
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-34827 Ruby HIGH PATCH GHSA This Week

Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. CVSS 7.5 (High) with network-accessible attack vector and low complexity. Vendor-released patches available in versions 3.1.21 and 3.2.6. No public exploit identified at time of analysis, though EPSS data not provided to assess probability of exploitation.

Denial Of Service Rack
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-32762 Ruby MEDIUM PATCH GHSA This Month

Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. No public exploit code or active exploitation has been confirmed at the time of analysis.

Information Disclosure Rack
NVD GitHub VulDB
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-25500 Ruby MEDIUM POC PATCH This Month

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft files with javascript: scheme names that execute arbitrary code when clicked. Authenticated users or those with access to directories containing maliciously named files can trigger stored XSS attacks affecting other users viewing the directory index. Public exploit code exists for versions prior to 2.2.22, 3.1.20, and 3.2.5.

Ruby Rack Red Hat Suse
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-22860 Ruby HIGH POC PATCH This Week

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.

Rack Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-59830 Ruby HIGH PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rack Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-49007 Ruby MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

Denial Of Service Ubuntu Debian Rack Red Hat +1
NVD GitHub
CVSS 3.1
5.3
EPSS
0.2%
CVE-2025-46727 Ruby HIGH PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Denial Of Service Rack Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.8%
CVE-2025-32441 Ruby MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Information Disclosure Race Condition Rack Red Hat Suse
NVD GitHub
CVSS 3.1
4.2
EPSS
0.1%
CVE-2025-27111 Ruby MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Rack Red Hat Suse
NVD GitHub
CVSS 4.0
6.9
EPSS
0.4%
CVE-2025-25184 Ruby MEDIUM POC PATCH This Month

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Rack Red Hat Suse
NVD GitHub
CVSS 4.0
5.7
EPSS
1.1%
CVE-2023-27539 Ruby MEDIUM PATCH This Month

There is a denial of service vulnerability in the header parsing component of Rack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rack Debian Linux Red Hat Suse
NVD GitHub
CVSS 3.1
5.3
EPSS
0.3%
CVE-2024-39316 Ruby MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rack
NVD GitHub
CVSS 3.1
6.5
EPSS
0.9%
CVE-2024-26146 Ruby HIGH PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rack Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
2.0%
CVE-2024-26141 Ruby HIGH POC PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rack Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
1.6%
CVE-2024-25126 Ruby HIGH POC PATCH THREAT This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rack Debian Linux
NVD GitHub
CVSS 3.1
7.5
EPSS
35.4%
CVE-2023-27530 Ruby HIGH PATCH This Week

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rack Debian Linux
NVD
CVSS 3.1
7.5
EPSS
1.8%
CVE-2022-30123 Ruby CRITICAL PATCH Act Now

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rack Debian Linux
NVD
CVSS 3.1
10.0
EPSS
1.8%
CVE-2022-30122 Ruby HIGH PATCH This Week

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Rack Debian Linux
NVD
CVSS 3.1
7.5
EPSS
2.1%
CVE-2020-8161 Ruby HIGH PATCH This Week

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Path Traversal Rack Debian Linux Ubuntu Linux
NVD
CVSS 3.1
8.6
EPSS
3.6%
CVE-2020-8184 Ruby HIGH POC PATCH This Week

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rack Debian Linux Ubuntu Linux
NVD
CVSS 3.1
7.5
EPSS
2.9%
CVE-2019-16782 Ruby MEDIUM PATCH This Month

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Rack Fedora Leap
NVD GitHub
CVSS 3.1
5.9
EPSS
3.7%
CVE-2018-16471 Ruby MEDIUM PATCH This Month

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Rack Debian Linux
NVD
CVSS 3.0
6.1
EPSS
1.8%
CVE-2018-16470 Ruby HIGH PATCH This Week

There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Rack
NVD
CVSS 3.0
7.5
EPSS
2.0%
CVE-2015-3225 Ruby MEDIUM PATCH This Month

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.3%.

Denial Of Service Rack Opensuse Debian Linux
NVD GitHub
CVSS 2.0
5.0
EPSS
13.3%
CVE-2013-0184 Ruby MEDIUM PATCH This Month

Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Rack
NVD
CVSS 2.0
4.3
EPSS
0.7%
CVE-2013-0183 Ruby MEDIUM PATCH This Month

multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Rack
NVD GitHub
CVSS 2.0
5.0
EPSS
1.8%
CVE-2012-6109 Ruby MEDIUM PATCH This Month

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Rack
NVD GitHub
CVSS 2.0
4.3
EPSS
0.8%
CVE-2013-0263 Ruby MEDIUM PATCH This Month

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Epss exploitation probability 16.1%.

RCE Rack
NVD GitHub
CVSS 2.0
5.1
EPSS
16.1%
CVE-2013-0262 Ruby MEDIUM PATCH This Month

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rack
NVD GitHub
CVSS 2.0
4.3
EPSS
1.3%
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Unbounded disk consumption in Rack's multipart parser allows remote denial of service when HTTP requests lack Content-Length headers. Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 fail to enforce size limits on multipart/form-data uploads sent via chunked transfer encoding, enabling unauthenticated attackers to exhaust disk space by streaming arbitrarily large file uploads. CVSS 7.5 (High) reflects the network-accessible, low-complexity attack requiring no privileges. No public exploit identified at time of analysis, though the attack technique is well-understood.

Denial Of Service File Upload Rack
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Information disclosure in Rack web server interface (versions <2.2.23, <3.1.21, <3.2.6) allows unauthenticated remote attackers to access sensitive files due to flawed prefix matching in Rack::Static. The vulnerability enables access to unintended files sharing configured URL prefixes (e.g., '/css' matching '/css-backup.sql'), exposing configuration files, database backups, or environment variables. CVSS 7.5 (High) with network vector and no complexity. No public exploit identified at time of analysis.

Information Disclosure Rack
NVD GitHub VulDB
EPSS 0% CVSS 3.7
LOW PATCH Monitor

Rack's multipart form data parser uses a greedy regular expression that selects the last boundary parameter from a Content-Type header instead of the first, allowing request smuggling when upstream proxies or WAFs interpret the first boundary. This mismatch enables attackers to bypass upstream inspection by crafting multipart requests with duplicate boundary declarations, causing Rack to parse a different body structure than the intermediary validated. Affected versions are Rack prior to 2.2.23, 3.1.21, and 3.2.6; patches are available for all three release branches.

Information Disclosure Rack
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Rack versions 3.2.0 through 3.2.5 fail to properly unfold folded multipart headers containing obs-fold sequences, preserving embedded CRLF characters in parsed parameter values like filename and name. This allows unauthenticated remote attackers with high request complexity to inject HTTP response headers or split responses when applications reuse these parsed values, leading to potential session hijacking, cache poisoning, or credential theft. The vulnerability carries a moderate CVSS score of

Code Injection Rack
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Denial of service via algorithmic complexity in Rack multipart parser allows unauthenticated remote attackers to exhaust CPU resources by sending specially crafted multipart/form-data requests with backslash-heavy escaped parameter values. Affects Rack 3.0.0.beta1-3.1.20 and 3.2.0-3.2.5, a critical Ruby web server interface used across Rails and Sinatra applications. CVSS 7.5 (High) with network-accessible attack vector and low complexity. Vendor-released patches available in versions 3.1.21 and 3.2.6. No public exploit identified at time of analysis, though EPSS data not provided to assess probability of exploitation.

Denial Of Service Rack
NVD GitHub VulDB
EPSS 0% CVSS 4.8
MEDIUM PATCH This Month

Rack::Utils.forwarded_values in Rack 3.0.0.beta1 through 3.1.20 and 3.2.0 through 3.2.5 misparses RFC 7239 Forwarded headers by splitting on semicolons before processing quoted strings, allowing attackers to inject or smuggle host, proto, for, or by parameters when an upstream proxy or WAF interprets the same header differently. The vulnerability affects request routing and protocol detection logic, enabling potential cache poisoning, host header injection, or protocol confusion attacks in architectures where intermediaries validate quoted Forwarded values inconsistently. No public exploit code or active exploitation has been confirmed at the time of analysis.

Information Disclosure Rack
NVD GitHub VulDB
EPSS 0% CVSS 5.4
MEDIUM POC PATCH This Month

Rack's Directory module fails to sanitize filenames when generating HTML directory listings, allowing attackers to craft files with javascript: scheme names that execute arbitrary code when clicked. Authenticated users or those with access to directories containing maliciously named files can trigger stored XSS attacks affecting other users viewing the directory index. Public exploit code exists for versions prior to 2.2.22, 3.1.20, and 3.2.5.

Ruby Rack Red Hat +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH POC PATCH This Week

Directory traversal in Rack versions prior to 2.2.22, 3.1.20, and 3.2.5 allows unauthenticated remote attackers to list directories outside the configured root by exploiting a string prefix matching flaw in path validation. An attacker can craft requests with path traversal sequences to enumerate sensitive directories if the target path shares a common prefix with the configured root directory. Public exploit code exists for this vulnerability.

Rack Path Traversal
NVD GitHub VulDB
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rack Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service vulnerability in the Content-Disposition parsing component of Rack. This is very similar to the previous security issue CVE-2022-44571. Carefully crafted input can cause Content-Disposition header parsing in Rack to take an unexpected amount of time, possibly resulting in a denial of service attack vector. This header is used typically used in multipart parsing. Any applications that parse multipart posts using Rack (virtually all Rails applications) are impacted. Version 3.1.16 contains a patch for the vulnerability.

Denial Of Service Ubuntu Debian +3
NVD GitHub
EPSS 1% CVSS 7.5
HIGH PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Nginx Denial Of Service Rack +2
NVD GitHub
EPSS 0% CVSS 4.2
MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 4.2), this vulnerability is remotely exploitable.

Information Disclosure Race Condition Rack +2
NVD GitHub
EPSS 0% CVSS 6.9
MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 6.9), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Code Injection Rack Red Hat +1
NVD GitHub
EPSS 1% CVSS 5.7
MEDIUM POC PATCH This Month

Rack provides an interface for developing web applications in Ruby. Rated medium severity (CVSS 5.7), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Code Injection Rack Red Hat +1
NVD GitHub
EPSS 0% CVSS 5.3
MEDIUM PATCH This Month

There is a denial of service vulnerability in the header parsing component of Rack. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rack Debian Linux +2
NVD GitHub
EPSS 1% CVSS 6.5
MEDIUM PATCH This Month

Rack is a modular Ruby web server interface. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity.

Denial Of Service Rack
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Denial Of Service Rack Debian Linux
NVD GitHub
EPSS 2% CVSS 7.5
HIGH POC PATCH This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rack Debian Linux
NVD GitHub
EPSS 35% CVSS 7.5
HIGH POC PATCH THREAT This Week

Rack is a modular Ruby web server interface. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Denial Of Service Rack Debian Linux
NVD GitHub
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in which could allow an attacker to craft requests that can be abuse to. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This Uncontrolled Resource Consumption vulnerability could allow attackers to cause denial of service by exhausting system resources.

Denial Of Service Rack Debian Linux
NVD
EPSS 2% CVSS 10.0
CRITICAL PATCH Act Now

A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in the Lint and CommonLogger components of Rack. Rated critical severity (CVSS 10.0), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Code Injection Rack Debian Linux
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Rack. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Rack Debian Linux
NVD
EPSS 4% CVSS 8.6
HIGH PATCH This Week

A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in the Rack::Directory app that is bundled with Rack which could result in. Rated high severity (CVSS 8.6), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Information Disclosure Path Traversal Rack +2
NVD
EPSS 3% CVSS 7.5
HIGH POC PATCH This Week

A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it is possible for an attacker to forge a secure or host-only cookie. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available.

Information Disclosure Rack Debian Linux +1
NVD
EPSS 4% CVSS 5.9
MEDIUM PATCH This Month

There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). Rated medium severity (CVSS 5.9), this vulnerability is remotely exploitable, no authentication required.

Information Disclosure Rack Fedora +1
NVD GitHub
EPSS 2% CVSS 6.1
MEDIUM PATCH This Month

There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Rated medium severity (CVSS 6.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

XSS Rack Debian Linux
NVD
EPSS 2% CVSS 7.5
HIGH PATCH This Week

There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Rated high severity (CVSS 7.5), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Denial Of Service Rack
NVD
EPSS 13% CVSS 5.0
MEDIUM PATCH This Month

lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows remote attackers to cause a denial of service (SystemStackError) via a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. Epss exploitation probability 13.3%.

Denial Of Service Rack Opensuse +1
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1.4.x before 1.4.4 allows remote attackers to cause a denial of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Rack
NVD
EPSS 2% CVSS 5.0
MEDIUM PATCH This Month

multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory consumption and out-of-memory error) via a long string in a. Rated medium severity (CVSS 5.0), this vulnerability is remotely exploitable, low attack complexity. This Buffer Overflow vulnerability could allow attackers to corrupt memory to execute arbitrary code or crash the application.

Buffer Overflow Denial Of Service Rack
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regular expression, which allows remote attackers to cause a denial of. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable.

Denial Of Service Rack
NVD GitHub
EPSS 16% CVSS 5.1
MEDIUM PATCH This Month

Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.1.6 allows remote attackers to guess the session cookie, gain. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable. Epss exploitation probability 16.1%.

RCE Rack
NVD GitHub
EPSS 1% CVSS 4.3
MEDIUM PATCH This Month

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment. Rated medium severity (CVSS 4.3), this vulnerability is remotely exploitable. This Path Traversal vulnerability could allow attackers to access files and directories outside the intended path.

Path Traversal Rack
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy