CVE-2025-61780

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.20 Rack versions prior to 3.1.18 Rack versions prior to 3.2.3

Description Rack is a modular Ruby web server interface. A potential information disclosure issue existed in Rack::Sendfile when operating behind a proxy supporting x-sendfile headers, such as Nginx. Maliciously crafted headers could lead Rack::Sendfile to incorrectly communicate with the proxy, potentially circumventing proxy-level access restrictions. Specifically, when receiving untrusted x-sendfile-type or x-accel-mapping headers, the middleware could be tricked into sending a redirect response to the proxy, triggering a new internal request that bypasses access controls. An attacker could exploit this by setting a crafted x-sendfile-type: x-accel-redirect header and a crafted x-accel-mapping header, requesting a path that qualifies for proxy-based acceleration. This could expose sensitive application routes. The issue requires the application to use Rack::Sendfile with a proxy that supports x-accel-redirect, the proxy not consistently setting or removing the x-sendfile-type and x-accel-mapping headers, and the application exposing an endpoint that returns a body responding to .to path.

Recommendations Upgrade to Rack version 2.2.20. Upgrade to Rack version 3.1.18. Upgrade to Rack version 3.2.3. Alternatively, configure the proxy to always set or strip the header. In Rails applications, disable sendfile completely.