CVE-2026-25500

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

CVSS v3 5.4 MEDIUM

5.4^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.3 / Impact : 2.7

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction REQUIRED

Confidentiality Impact LOW

Integrity Impact LOW

Availability Impact NONE

Scope CHANGED

References

Link	Resource
https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff	Patch
https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp	Exploit Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

OR	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*
	cpe:2.3:a:rack:rack::::::ruby::*

History

No history.

Information

Published : 2026-02-18 20:18

Updated : 2026-02-19 18:26

NVD link : CVE-2026-25500

Mitre link : CVE-2026-25500

CVE.ORG link : CVE-2026-25500

JSON object : View

Products Affected

rack

rack

CWE

CWE-79

Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

{"id": "CVE-2026-25500", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "CHANGED", "version": "3.1", "baseScore": 5.4, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N", "integrityImpact": "LOW", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "LOW"}, "impactScore": 2.7, "exploitabilityScore": 2.3}]}, "published": "2026-02-18T20:18:36.110", "references": [{"url": "https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-79"}]}], "descriptions": [{"lang": "en", "value": "Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue."}, {"lang": "es", "value": "Rack es una interfaz modular para servidores web Ruby. Antes de las versiones 2.2.22, 3.1.20 y 3.2.5, `Rack::Directory` generaba un \u00edndice de directorio HTML en el que cada entrada de archivo se representaba como un enlace en el que se pod\u00eda hacer clic. Si existe un archivo en el disco cuyo nombre base comienza con el esquema `javascript:` (por ejemplo, `javascript:alert(1)`), el \u00edndice generado contiene un ancla cuyo `href` es exactamente `javascript:alert(1)`. Al hacer clic en la entrada, se ejecuta JavaScript en el navegador (demostrado con `alert(1)`). Las versiones 2.2.22, 3.1.20 y 3.2.5 corrigen el problema."}], "lastModified": "2026-02-19T18:26:27.523", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "58D73D7A-523C-4472-9322-87B5E7A785CA", "versionEndExcluding": "2.2.22"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "76491EC1-2EA1-492E-97B2-2427EDFB0E07", "versionEndExcluding": "3.1.20", "versionStartIncluding": "3.0.0"}, {"criteria": "cpe:2.3:a:rack:rack:*:*:*:*:*:ruby:*:*", "vulnerable": true, "matchCriteriaId": "653A4AF6-055E-46F2-992E-C6624BBF8A25", "versionEndExcluding": "3.2.5", "versionStartIncluding": "3.2.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}