Fluid Attacks Database

Description

Rack::Static prefix matching can expose unintended files under the static root

Summary

Rack::Static determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as "/css", it matches any request path that begins with that string, including unrelated paths such as "/css-config.env" or "/css-backup.sql".

As a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure.

Details

Rack::Static#route_file performs static-route matching using logic equivalent to:

@urls.any? { |url| path.index(url) == 0 }

This checks only whether the request path starts with the configured prefix string. It does not require a path segment boundary after the prefix.

For example, with:

use Rack::Static, urls: ["/css", "/js"], root: "public"

the following path is matched as intended:

/css/style.css

but these paths are also matched:

/css-config.env
/css-backup.sql
/csssecrets.yml

If such files exist under the configured static root, Rack forwards the request to the file server and serves them as static content.

This means a configuration intended to expose only directory trees such as /css/... and /js/... may also expose sibling files whose names begin with those same strings.

Impact

An attacker can request files under the configured static root whose names share a configured URL prefix and obtain their contents.

In affected deployments, this may expose configuration files, secrets, backups, environment files, or other unintended static content located under the same root directory.

Mitigation

Update to a patched version of Rack that enforces a path boundary when matching configured static URL prefixes.

Match only paths that are either exactly equal to the configured prefix or begin with prefix + "/".

Avoid placing sensitive files under the Rack::Static root directory.

Prefer static URL mappings that cannot overlap with sensitive filenames.

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 12	ruby-rack	=2.2.13-1~deb12u1 \|\| =2.2.20-0+deb12u1 \|\| =2.2.22-0+deb12u1 \|\| =2.2.6.4-1 \|\| =2.2.6.4-1+deb12u1 \|\| =2.2.7-1 \|\| =2.2.7-1.1 \|\| =3.0.0-1 \|\| =3.0.8-1 \|\| =3.0.8-2 \|\| =3.0.8-3 \|\| =3.0.8-4 \|\| =3.1.12-1 \|\| =3.1.12-2~exp1 \|\| =3.1.16-0.1 \|\| =3.1.18-1 \|\| =3.1.18-1~deb13u1 \|\| =3.1.9-1~exp1 \|\| =3.1.9-2 \|\| =3.2.4-1 \|\| =3.2.5-1 \|\| =3.2.5-2 \|\| =3.2.6-1 \|\| =3.2.6-2	-
debian 13	ruby-rack	=3.1.16-0.1 \|\| =3.1.18-1 \|\| =3.1.18-1~deb13u1 \|\| =3.1.20-0+deb13u1 \|\| =3.2.4-1 \|\| =3.2.5-1 \|\| =3.2.5-2 \|\| =3.2.6-1 \|\| =3.2.6-2	-
debian 14	ruby-rack	=3.1.16-0.1 \|\| =3.1.18-1 \|\| =3.1.18-1~deb13u1 \|\| =3.2.4-1 \|\| =3.2.5-1 \|\| =3.2.5-2 \|\| =3.2.6-1 \|\| >=0 <3.2.6-2	3.2.6-2
rubygems	rack	>=0 <2.2.23 \|\| >=3.0.0.beta1 <3.1.21 \|\| >=3.2.0 <3.2.6	2.2.23, 3.1.21, 3.2.6
debian 11	ruby-rack	=2.1.4-3 \|\| =2.1.4-3+deb11u1 \|\| =2.1.4-3+deb11u2 \|\| =2.1.4-3+deb11u3 \|\| =2.1.4-3+deb11u4 \|\| =2.1.4-3+deb11u5 \|\| =2.1.4-4 \|\| =2.1.4-5 \|\| =2.2.13-1~deb12u1 \|\| =2.2.3-1 \|\| =2.2.3-2 \|\| =2.2.3-3 \|\| =2.2.3-4 \|\| =2.2.4-1 \|\| =2.2.4-2 \|\| =2.2.4-3 \|\| =2.2.6.4-1 \|\| =2.2.7-1 \|\| =2.2.7-1.1 \|\| =3.0.0-1 \|\| =3.0.8-1 \|\| =3.0.8-2 \|\| =3.0.8-3 \|\| =3.0.8-4 \|\| =3.1.12-1 \|\| =3.1.12-2~exp1 \|\| =3.1.16-0.1 \|\| =3.1.18-1 \|\| =3.1.18-1~deb13u1 \|\| =3.1.9-1~exp1 \|\| =3.1.9-2 \|\| =3.2.4-1 \|\| =3.2.5-1 \|\| =3.2.5-2 \|\| =3.2.6-1 \|\| =3.2.6-2	-

Aliases

1. CVE-2026-347852. NVD-2026-347853. OSV-DEBIAN-2026-347854. OSV-2026-347855. GHSA-h2jq-g4cq-5ppq6. GCVE-2026-347857. SECURITY-TRACKER-CVE-2026-34785

References

1. https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq2. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-34785.yml

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.