Fluid Attacks Database

Description

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme (e.g. javascript:alert(1)), the generated index contains an anchor whose href is exactly javascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated with alert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
debian 11	ruby-rack	=2.1.4-3 \|\| =2.1.4-3+deb11u1 \|\| =2.1.4-3+deb11u2 \|\| =2.1.4-3+deb11u3 \|\| =2.1.4-3+deb11u4 \|\| >=0 <2.1.4-3+deb11u5	2.1.4-3+deb11u5
debian 12	ruby-rack	=2.2.13-1~deb12u1 \|\| =2.2.20-0+deb12u1 \|\| =2.2.6.4-1 \|\| =2.2.6.4-1+deb12u1 \|\| =2.2.7-1 \|\| =2.2.7-1.1 \|\| >=0 <2.2.22-0+deb12u1	2.2.22-0+deb12u1
debian 14	ruby-rack	=3.1.16-0.1 \|\| =3.1.18-1 \|\| =3.1.18-1~deb13u1 \|\| =3.2.4-1 \|\| >=0 <3.2.5-1	3.2.5-1
debian 13	ruby-rack	=3.1.16-0.1 \|\| =3.1.18-1 \|\| =3.1.18-1~deb13u1 \|\| >=0 <3.1.20-0+deb13u1	3.1.20-0+deb13u1
rubygems	rack	>=0 <2.2.22 \|\| >=3.0.0.beta1 <3.1.20 \|\| >=3.2.0 <3.2.5	2.2.22, 3.1.20, 3.2.5
rpm rhel10	pcs	-	-
rpm rhel7	pcs	-	-
rpm rhel8	pcs	-	-
rpm rhel9	pcs	-	-
rpm rhel9	ruby-30	-	-

1-10 of 11

Aliases

1. CVE-2026-255002. NVD-2026-255003. OSV-DEBIAN-2026-255004. OSV-2026-255005. GHSA-whrj-4476-wvmp6. GCVE-2026-255007. SECURITY-TRACKER-CVE-2026-25500

References

1. https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp2. https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff3. https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml