Rack Ruby vulnerability could reveal secrets to attackers (CVE-2025-27610)

Researchers have uncovered three serious vulnerabilities in Rack, a server interface used by most Ruby web app frameworks (Ruby on Rails, Sinatra, Hanami, Roda, and others).

Two of the flaws – CVE-2025-25184 and CVE-2025-27111 – could allow attackers to manipulate log content and entries, while the third one – CVE-2025-27610 – is a path traversal vulnerability that may allow attackers to gain unauthorized access to sensitive information.

About CVE-2025-27610

Rack provides a standardized way for web servers and Ruby web applications to communicate, and is a core component of many web applications that are used by businesses and consumers.

It is available as a Ruby Gem (i.e., reusable package of Ruby code).

OPSWAT researchers Thai Do and Minh Pham have found the three vulnerabilities and have singled out CVE-2025-27610 as the most severe.

This vulnerability is in the Rack::Static middleware, used by Rack applications to serve static files and content within Ruby web applications.

To demonstrate the vulnerability’s potential, researchers Minh Pham and Thai Do have developed a Ruby-based web application utilizing Rack version 3.1.10, and have shown that in scenarios where the application does not explicitly define the root: option, an unauthenticated attacker could gain access to files located outside the designated static file directory.

Those files may include configuration files, credentials, and other confidential data, but there’s a caveat: to access the files, the attacker must be able to determine their path.

“In theory, exploiting CVE-2025-27610 would not require significant payload modifications for each web application, since it’s a path traversal vulnerability. It allows attackers to gain unauthorized access to files on the web server simply by manipulating the URL from the client side,” Bang Do, Senior QA Director, Product Engineering at OPSWAT, told Help Net Security.

“The impact of this vulnerability depends on the contents of the accessed files. For instance, if the files contain secret keys for database servers or other critical servers, attackers could potentially infiltrate deeper into the customer’s environment and access additional resources.”

What to do?

“The widespread global adoption of Rack, with more than one billion downloads globally, highlights its integral role within the Ruby development ecosystem,” OPSWAT noted.

The three vulnerabilities have been fixed, and developers are advised to upgrade the Rack version used in their Ruby applications to a patched version: 2.2.13 or higher, 3.0.14 or higher, or 3.1.12 or higher.

Alternatively, CVE-2025-27610 can be mitigated by removing the usage of Rack::Static or by ensuring that root: points at a directory path that only contains files which should be accessed publicly.

CVE-2025-27111 can be mitigated by eliminating the use of the Rack::Sendfile middleware.

Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!