CVE-2026-25500

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.22 Rack versions prior to 3.1.20 Rack versions prior to 3.2.5

Description Rack’s Rack::Directory component generates HTML directory indexes with clickable links for each file entry. If a file exists with a basename starting with the javascript: scheme (for example, javascript:alert(1)), the generated index includes an anchor with an href attribute set to that scheme. Clicking this link executes JavaScript in the browser. This results in a client-side cross-site scripting (XSS) condition in directory listings generated by Rack::Directory. The issue occurs because the file basename is directly inserted into the href attribute without validation or normalization. The vulnerable component is Rack::Directory.

Recommendations Update to Rack version 2.2.22 or later. Update to Rack version 3.1.20 or later. Update to Rack version 3.2.5 or later. Avoid exposing user-controlled directories via Rack::Directory. Apply a strict Content Security Policy (CSP) to reduce the impact of potential client-side execution issues. Restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.