{"id":"GHSA-7mqq-6cf9-v2qp","summary":"Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory","details":"## Summary\n\n`Rack::Directory` interpolates the configured `root` path directly into a regular expression when deriving the displayed directory path. If `root` contains regex metacharacters such as `+`, `*`, or `.`, the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output.\n\n## Details\n\n`Rack::Directory::DirectoryBody#each` computes the visible path using code equivalent to:\n\n```ruby\nshow_path = Utils.escape_html(path.sub(/\\A#{root}/, ''))\n```\n\nHere, `root` is a developer-configured filesystem path. It is normalized earlier with `File.expand_path(root)` and then inserted directly into a regular expression without escaping.\n\nBecause the value is treated as regex syntax rather than as a literal string, metacharacters in the configured path can change how the prefix match behaves. When that happens, the expected root prefix is not removed from `path`, and the absolute filesystem path is rendered into the HTML directory listing.\n\n## Impact\n\nIf `Rack::Directory` is configured to serve a directory whose absolute path contains regex metacharacters, the generated directory listing may disclose the full server filesystem path instead of only the request-relative path.\n\nThis can expose internal deployment details such as directory layout, usernames, mount points, or naming conventions that would otherwise not be visible to clients.\n\n## Mitigation\n\n* Update to a patched version of Rack in which the root prefix is removed using an escaped regular expression.\n* Avoid using `Rack::Directory` with a root path that contains regular expression metacharacters.","aliases":["CVE-2026-34763"],"modified":"2026-04-06T00:44:18.446067948Z","published":"2026-04-02T20:32:42Z","related":["CGA-4r87-7f3w-2442"],"database_specific":{"cwe_ids":["CWE-625"],"severity":"MODERATE","github_reviewed_at":"2026-04-02T20:32:42Z","nvd_published_at":"2026-04-02T17:16:24Z","github_reviewed":true},"references":[{"type":"WEB","url":"https://github.com/rack/rack/security/advisories/GHSA-7mqq-6cf9-v2qp"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34763"},{"type":"PACKAGE","url":"https://github.com/rack/rack"}],"affected":[{"package":{"name":"rack","ecosystem":"RubyGems","purl":"pkg:gem/rack"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"2.2.23"}]}],"versions":["0.1.0","0.2.0","0.3.0","0.4.0","0.9.0","0.9.1","1.0.0","1.0.1","1.1.0","1.1.1","1.1.1.pre","1.1.2","1.1.3","1.1.4","1.1.5","1.1.6","1.2.0","1.2.1","1.2.2","1.2.3","1.2.4","1.2.5","1.2.6","1.2.7","1.2.8","1.3.0","1.3.0.beta","1.3.0.beta2","1.3.1","1.3.10","1.3.2","1.3.3","1.3.4","1.3.5","1.3.6","1.3.7","1.3.8","1.3.9","1.4.0","1.4.1","1.4.2","1.4.3","1.4.4","1.4.5","1.4.6","1.4.7","1.5.0","1.5.0.beta.1","1.5.0.beta.2","1.5.1","1.5.2","1.5.3","1.5.4","1.5.5","1.6.0","1.6.0.beta","1.6.0.beta2","1.6.1","1.6.10","1.6.11","1.6.12","1.6.13","1.6.2","1.6.3","1.6.4","1.6.5","1.6.6","1.6.7","1.6.8","1.6.9","2.0.0.alpha","2.0.0.rc1","2.0.1","2.0.2","2.0.3","2.0.4","2.0.5","2.0.6","2.0.7","2.0.8","2.0.9","2.0.9.1","2.0.9.2","2.0.9.3","2.0.9.4","2.1.0","2.1.1","2.1.2","2.1.3","2.1.4","2.1.4.1","2.1.4.2","2.1.4.3","2.1.4.4","2.2.0","2.2.1","2.2.10","2.2.11","2.2.12","2.2.13","2.2.14","2.2.15","2.2.16","2.2.17","2.2.18","2.2.19","2.2.2","2.2.20","2.2.21","2.2.22","2.2.3","2.2.3.1","2.2.4","2.2.5","2.2.6","2.2.6.1","2.2.6.2","2.2.6.3","2.2.6.4","2.2.7","2.2.8","2.2.8.1","2.2.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7mqq-6cf9-v2qp/GHSA-7mqq-6cf9-v2qp.json"}},{"package":{"name":"rack","ecosystem":"RubyGems","purl":"pkg:gem/rack"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.0.0.beta1"},{"fixed":"3.1.21"}]}],"versions":["3.0.0","3.0.0.beta1","3.0.0.rc1","3.0.1","3.0.10","3.0.11","3.0.12","3.0.13","3.0.14","3.0.15","3.0.16","3.0.17","3.0.18","3.0.2","3.0.3","3.0.4","3.0.4.1","3.0.4.2","3.0.5","3.0.6","3.0.6.1","3.0.7","3.0.8","3.0.9","3.0.9.1","3.1.0","3.1.1","3.1.10","3.1.11","3.1.12","3.1.13","3.1.14","3.1.15","3.1.16","3.1.17","3.1.18","3.1.19","3.1.2","3.1.20","3.1.3","3.1.4","3.1.5","3.1.6","3.1.7","3.1.8","3.1.9"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7mqq-6cf9-v2qp/GHSA-7mqq-6cf9-v2qp.json"}},{"package":{"name":"rack","ecosystem":"RubyGems","purl":"pkg:gem/rack"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"3.2.0"},{"fixed":"3.2.6"}]}],"versions":["3.2.0","3.2.1","3.2.2","3.2.3","3.2.4","3.2.5"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-7mqq-6cf9-v2qp/GHSA-7mqq-6cf9-v2qp.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}