Rack · Rack · CVE-2025-61780
**Name of the Vulnerable Software and Affected Versions**
Rack versions prior to 2.2.20
Rack versions prior to 3.1.18
Rack versions prior to 3.2.3
**Description**
Rack is a modular Ruby web server interface. A potential information disclosure issue existed in `Rack::Sendfile` when operating behind a proxy supporting `x-sendfile` headers, such as Nginx. Maliciously crafted headers could lead `Rack::Sendfile` to incorrectly communicate with the proxy, potentially circumventing proxy-level access restrictions. Specifically, when receiving untrusted `x-sendfile-type` or `x-accel-mapping` headers, the middleware could be tricked into sending a redirect response to the proxy, triggering a new internal request that bypasses access controls. An attacker could exploit this by setting a crafted `x-sendfile-type: x-accel-redirect` header and a crafted `x-accel-mapping` header, requesting a path that qualifies for proxy-based acceleration. This could expose sensitive application routes. The issue requires the application to use `Rack::Sendfile` with a proxy that supports `x-accel-redirect`, the proxy not consistently setting or removing the `x-sendfile-type` and `x-accel-mapping` headers, and the application exposing an endpoint that returns a body responding to `.to path`.
**Recommendations**
Upgrade to Rack version 2.2.20.
Upgrade to Rack version 3.1.18.
Upgrade to Rack version 3.2.3.
Alternatively, configure the proxy to always set or strip the header.
In Rails applications, disable sendfile completely.