CVE-2026-25500
Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
Vendor advisory: debian — https://security-tracker.debian.org/tracker/CVE-2026-25500
Vendor advisory: suse — https://www.suse.com/security/cve/CVE-2026-25500.html
OS impact
| OS | Version | Status | Fixed in |
|---|---|---|---|
| sles | affected | | |
| debian | bookworm | fixed | 2.2.22-0+deb12u1 |
| debian | bullseye | fixed | 2.1.4-3+deb11u5 |
| debian | forky | fixed | 3.2.5-1 |
| debian | sid | fixed | 3.2.5-1 |
| debian | trixie | fixed | 3.1.20-0+deb13u1 |
References
- https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
- https://www.suse.com/security/cve/CVE-2026-25500.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-25500
- https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
- https://github.com/rack/rack
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
- https://security-tracker.debian.org/tracker/CVE-2026-25500
Verify integrity in audit chain (admin only). AS-IS.