Sign In

CVE-2026-22860

ADVISORY - github

Summary

Summary

Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../root_example/ can escape the configured root if the target path starts with the root string, allowing directory listing outside the intended root.

Details

In directory.rb, File.expand_path(File.join(root, path_info)).start_with?(root) does not enforce a path boundary. If the server root is /var/www/root, a path like /var/www/root_backup passes the check because it shares the same prefix, so Rack::Directory will list that directory also.

Impact

Information disclosure via directory listing outside the configured root when Rack::Directory is exposed to untrusted clients and a directory shares the root prefix (e.g., public2, www_backup).

Mitigation

  • Update to a patched version of Rack that correctly checks the root prefix.
  • Don't name directories with the same prefix as one which is exposed via Rack::Directory.

Common Weakness Enumeration (CWE)

ADVISORY - github

CWE-22

Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

CWE-548

Exposure of Information Through Directory Listing

Impacted images

Advisories

GitHub

CREATED

UPDATED

ADVISORY IDGHSA-mxw3-3hh2-x2mh
EXPLOITABILITY SCORE

3.9

EXPLOITS FOUND
-
COMMON WEAKNESS ENUMERATION (CWE)
CWE-22CWE-548

CVSS SCORE

7.5high