ruby-advisory-db/gems/rack/CVE-2026-34785.yml at c9f86133ec598032e590f322696c5d799e958e26 · rubysec/ruby-advisory-db · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
---
gem: rack
cve: 2026-34785
ghsa: h2jq-g4cq-5ppq
url: https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
title: Rack::Static prefix matching can expose unintended files under
  the static root
date: 2026-04-02
description: |
  ## Summary

  `Rack::Static` determines whether a request should be served as a
  static file using a simple string prefix check. When configured
  with URL prefixes such as `"/css"`, it matches any request path
  that begins with that string, including unrelated paths such as
  `"/css-config.env"` or `"/css-backup.sql"`.

  As a result, files under the static root whose names merely share
  the configured prefix may be served unintentionally, leading to
  information disclosure.

  ## Details

  `Rack::Static#route_file` performs static-route matching using
  logic equivalent to:

  ```ruby
  @urls.any? { |url| path.index(url) == 0 }
  ```

  This checks only whether the request path starts with the configured
  prefix string. It does not require a path segment boundary after the prefix.

  For example, with:

  ```ruby
  use Rack::Static, urls: ["/css", "/js"], root: "public"
  ```

  the following path is matched as intended:

  ```text
  /css/style.css
  ```

  but these paths are also matched:

  ```text
  /css-config.env
  /css-backup.sql
  /csssecrets.yml
  ```

  If such files exist under the configured static root, Rack forwards
  the request to the file server and serves them as static content.

  This means a configuration intended to expose only directory trees
  such as `/css/...` and `/js/...` may also expose sibling files
  whose names begin with those same strings.

  ## Impact

  An attacker can request files under the configured static root whose
  names share a configured URL prefix and obtain their contents.

  In affected deployments, this may expose configuration files,
  secrets, backups, environment files, or other unintended static
  content located under the same root directory.

  ## Mitigation

  * Update to a patched version of Rack that enforces a path boundary
    when matching configured static URL prefixes.
  * Match only paths that are either exactly equal to the configured
    prefix or begin with `prefix + "/"`.
  * Avoid placing sensitive files under the `Rack::Static` root directory.
  * Prefer static URL mappings that cannot overlap with sensitive filenames.
cvss_v3: 7.5
patched_versions:
  - "~> 2.2.23"
  - "~> 3.1.21"
  - ">= 3.2.6"
related:
  url:
    - https://nvd.nist.gov/vuln/detail/CVE-2026-34785
    - https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq
    - https://github.com/advisories/GHSA-h2jq-g4cq-5ppq