Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation

5.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Basic Information

ID CVE-2026-34763

Source GitHub_M

Published Apr 2, 2026 at 16:43

Modified Apr 2, 2026 at 17:41

Affected Product

Vendor rack

Product rack

Version < 2.2.23

Affected Versions rack rack < 2.2.23
rack rack >= 3.0.0.beta1, < 3.1.21
rack rack >= 3.2.0, < 3.2.6

CWE Classification

CWE-625

References

github.com /rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp

{
    "lastseen": "",
    "description": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configured root path directly into a regular expression when deriving the displayed directory path. If root contains regex metacharacters such as +, *, or ., the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.",
    "published": "2026-04-02T16:43:42.189Z",
    "modified": "2026-04-02T17:41:12.293Z",
    "type": "cve",
    "title": "Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation",
    "source": "GitHub_M",
    "references": "https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp",
    "id": "CVE-2026-34763",
    "bulletinFamily": "",
    "cwe": [
        "CWE-625"
    ],
    "cvelist": null,
    "sourceData": "rack rack < 2.2.23\nrack rack >= 3.0.0.beta1, < 3.1.21\nrack rack >= 3.2.0, < 3.2.6",
    "sourceHref": "",
    "cvss": {
        "score": 5.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rack",
    "version": "< 2.2.23",
    "vendor": "rack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Rack: Rack::Directory info disclosure and DoS via unescaped regex interpolation_CVE-2026-34763