Debian DLA-4505-1 ruby-rack Critical Directory Listing XSS
debian lts
March 23, 2026
Two vulnerabilities were discovered in ruby-rack, a modular Ruby webserver interface
Topics Covered
Summary
CVE-2026-22860
Rack::Directory's path check used a string prefix match on the
expanded path. A request like /../root_example/ could escape the
configured root if the target path started with the root string,
allowing directory listing outside the intended root.
CVE-2026-25500
Rack::Directory generated an HTML directory index where each file
entry was rendered as a clickable link. If a file existed on disk
whose basename started with the javascript: scheme, the generated
index contained an anchor whose href executed JavaScript in the
browser, resulting in a stored XSS vulnerability.
For Debian 11 bullseye, these problems have been fixed in version
2.1.4-3+deb11u5.
We recommend that you upgrade your ruby-rack packages.
For the detailed security status of ruby-rack please refer to
its security tracker page at:
https://security-tracker.debian.org/tracker/source-package/ruby-rack
Further information about Debian LTS security advisories, how to apply
PREVIOUS
NEXT
Severity
critical
Lowest
Low
Medium
High
Critical
Package: ruby-rack
Version: 2.1.4-3+deb11u5
CVE ID: CVE-2026-22860 CVE-2026-25500
Debian Bug: 1128479 1128480
Topics Covered
Get the latest News and Insights
Get the latest Linux and open source security news straight to your inbox.
Related News
Powered By
Linux Security - Your source for Top Linux News, Advisories, HOWTOs and Feature Releases
QUICK LINKS
subscribe to newsletters!
Like staying secure? So do we.
Sign up for updates, tips, and alerts!