Haruki0409

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack::Directory interpolates the configured `root` path directly into a regular expression when deriving the displayed directory path. If the `root` path contains regex metacharacters such as +, *, or ., the prefix stripping can fail, and the generated directory listing may expose the full filesystem path in the HTML output. This can expose internal deployment details such as directory layout, usernames, mount points, or naming conventions. The issue occurs because the configured path is inserted directly into a regular expression without escaping. Recommendations Update to Rack version 2.2.23 or later. Update to Rack version 3.1.21 or later. Update to Rack version 3.2.6 or later.

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack’s `Rack::Static#applicable rules` component evaluates header rules against the raw URL-encoded `PATH INFO`, while the file-serving path is decoded. This allows an attacker to bypass header rules by requesting an encoded form of a static path, potentially disabling security-relevant response headers. The issue arises from a canonicalization mismatch between the path used for header policy decisions and the path used for file serving. The impact depends on the configured rules and the types of files served. Recommendations Update to Rack version 2.2.23, 3.1.21, or 3.2.6 or later.