Researchers have recently discovered three critical vulnerabilities in Rack, a server interface widely used by various Ruby web app frameworks such as Ruby on Rails, Sinatra, Hanami, Roda, and others. These vulnerabilities, namely CVE-2025-25184, CVE-2025-27111, and CVE-2025-27610, pose significant security risks by enabling attackers to manipulate log content, entries, and potentially gain unauthorized access to sensitive information.
Among these vulnerabilities, CVE-2025-27610 has been identified as the most severe by OPSWAT researchers Thai Do and Minh Pham. This particular vulnerability resides in the Rack::Static middleware, which is essential for serving static files and content within Ruby web applications. The researchers conducted a demonstration using a Ruby-based web application utilizing Rack version 3.1.10 to showcase the exploitability of CVE-2025-27610. They highlighted that in scenarios where the root option is not explicitly defined, an unauthenticated attacker could exploit the vulnerability to access files outside the designated static file directory. While accessing sensitive files like configuration files and credentials is possible, attackers must first determine the path to these files.
Bang Do, Senior QA Director of Product Engineering at OPSWAT, emphasized the potential impact of CVE-2025-27610, stating that exploiting the vulnerability does not require significant payload modifications for individual web applications. Attackers can gain unauthorized access to files on the web server by manipulating the URL from the client side. Depending on the contents of the accessed files, attackers could potentially infiltrate deeper into the customer’s environment and access additional critical resources.
In response to these vulnerabilities, OPSWAT has released patches to address the issues. Developers are strongly advised to update the Rack version used in their Ruby applications to the patched versions: 2.2.13 or higher, 3.0.14 or higher, or 3.1.12 or higher. Alternatively, mitigating CVE-2025-27610 can be achieved by either removing the usage of Rack::Static or ensuring that the root points to a directory containing files intended for public access only. Similarly, CVE-2025-27111 can be mitigated by discontinuing the use of the Rack::Sendfile middleware.
The widespread global adoption of Rack, with over one billion downloads worldwide, underscores its crucial role within the Ruby development ecosystem. By addressing these vulnerabilities promptly and adopting the necessary security measures, developers can enhance the overall security posture of their Ruby web applications and protect them from potential exploitation by malicious actors. Subscribe to our breaking news e-mail alert to stay informed about the latest breaches, vulnerabilities, and cybersecurity threats. Subscribe here!