GHSA-mxw3-3hh2-x2mh
Suggest an improvement- Source
- https://github.com/advisories/GHSA-mxw3-3hh2-x2mh
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/02/GHSA-mxw3-3hh2-x2mh/GHSA-mxw3-3hh2-x2mh.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-mxw3-3hh2-x2mh
- Aliases
- Downstream
- Related
- Published
- 2026-02-17T16:14:11Z
- Modified
- 2026-02-24T16:32:23.941036Z
- Severity
-
- 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Rack has a Directory Traversal via Rack:Directory
- Details
-
Summary
Rack::Directory’s path check used a string prefix match on the expanded path. A request like/../root_example/can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.Details
In
directory.rb,File.expand_path(File.join(root, path_info)).start_with?(root)does not enforce a path boundary. If the server root is/var/www/root, a path like/var/www/root_backuppasses the check because it shares the same prefix, soRack::Directorywill list that directory also.Impact
Information disclosure via directory listing outside the configured root when
Rack::Directoryis exposed to untrusted clients and a directory shares the root prefix (e.g.,public2,www_backup).Mitigation
- Update to a patched version of Rack that correctly checks the root prefix.
- Don't name directories with the same prefix as one which is exposed via
Rack::Directory.
- Database specific
{ "nvd_published_at": "2026-02-18T19:21:43Z", "cwe_ids": [ "CWE-22", "CWE-548" ], "github_reviewed_at": "2026-02-17T16:14:11Z", "github_reviewed": true, "severity": "HIGH" }- References
-
- https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
- https://nvd.nist.gov/vuln/detail/CVE-2026-22860
- https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7
- https://github.com/rack/rack
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-22860.yml
Affected packages
RubyGems / rack
Package
- Name
- rack
- Purl
- pkg:gem/rack
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed2.2.22
Affected versions
0.*
0.1.0
0.2.0
0.3.0
0.4.0
0.9.0
0.9.1
1.*
1.0.0
1.0.1
1.1.0
1.1.1.pre
1.1.1
1.1.2
1.1.3
1.1.4
1.1.5
1.1.6
1.2.0
1.2.1
1.2.2
1.2.3
1.2.4
1.2.5
1.2.6
1.2.7
1.2.8
1.3.0.beta
1.3.0.beta2
1.3.0
1.3.1
1.3.2
1.3.3
1.3.4
1.3.5
1.3.6
1.3.7
1.3.8
1.3.9
1.3.10
1.4.0
1.4.1
1.4.2
1.4.3
1.4.4
1.4.5
1.4.6
1.4.7
1.5.0.beta.1
1.5.0.beta.2
1.5.0
1.5.1
1.5.2
1.5.3
1.5.4
1.5.5
1.6.0.beta
1.6.0.beta2
1.6.0
1.6.1
1.6.2
1.6.3
1.6.4
1.6.5
1.6.6
1.6.7
1.6.8
1.6.9
1.6.10
1.6.11
1.6.12
1.6.13
2.*
2.0.0.alpha
2.0.0.rc1
2.0.1
2.0.2
2.0.3
2.0.4
2.0.5
2.0.6
2.0.7
2.0.8
2.0.9
2.0.9.1
2.0.9.2
2.0.9.3
2.0.9.4
2.1.0
2.1.1
2.1.2
2.1.3
2.1.4
2.1.4.1
2.1.4.2
2.1.4.3
2.1.4.4
2.2.0
2.2.1
2.2.2
2.2.3
2.2.3.1
2.2.4
2.2.5
2.2.6
2.2.6.1
2.2.6.2
2.2.6.3
2.2.6.4
2.2.7
2.2.8
2.2.8.1
2.2.9
2.2.10
2.2.11
2.2.12
2.2.13
2.2.14
2.2.15
2.2.16
2.2.17
2.2.18
2.2.19
2.2.20
2.2.21
RubyGems / rack
Package
- Name
- rack
- Purl
- pkg:gem/rack
Affected versions
3.*
3.0.0.beta1
3.0.0.rc1
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.4.1
3.0.4.2
3.0.5
3.0.6
3.0.6.1
3.0.7
3.0.8
3.0.9
3.0.9.1
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.1.0
3.1.1
3.1.2
3.1.3
3.1.4
3.1.5
3.1.6
3.1.7
3.1.8
3.1.9
3.1.10
3.1.11
3.1.12
3.1.13
3.1.14
3.1.15
3.1.16
3.1.17
3.1.18
3.1.19
RubyGems / rack
Package
- Name
- rack
- Purl
- pkg:gem/rack