Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

Basic Information

ID CVE-2026-34785

Source GitHub_M

Published Apr 2, 2026 at 16:44

Modified Apr 2, 2026 at 18:59

Affected Product

Vendor rack

Product rack

Version < 2.2.23

Affected Versions rack rack < 2.2.23
rack rack >= 3.0.0.beta1, < 3.1.21
rack rack >= 3.2.0, < 3.2.6

CWE Classification

CWE-187 CWE-200

References

github.com /rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq

{
    "lastseen": "",
    "description": "Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as \"/css\", it matches any request path that begins with that string, including unrelated paths such as \"/css-config.env\" or \"/css-backup.sql\". As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.",
    "published": "2026-04-02T16:44:17.134Z",
    "modified": "2026-04-02T18:59:08.828Z",
    "type": "cve",
    "title": "Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching",
    "source": "GitHub_M",
    "references": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq",
    "id": "CVE-2026-34785",
    "bulletinFamily": "",
    "cwe": [
        "CWE-187",
        "CWE-200"
    ],
    "cvelist": null,
    "sourceData": "rack rack < 2.2.23\nrack rack >= 3.0.0.beta1, < 3.1.21\nrack rack >= 3.2.0, < 3.2.6",
    "sourceHref": "",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "rack",
    "version": "< 2.2.23",
    "vendor": "rack",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Rack: Local file inclusion in `Rack::Static` via URL Prefix Matching_CVE-2026-34785