Executive Summary

[{'type': 'paragraph', 'content': "CVE-2026-25500 is a cross-site scripting (XSS) vulnerability in the Rack::Directory component of the Rack Ruby webserver interface. Rack::Directory generates HTML directory listings where each file is rendered as a clickable link using an anchor tag with the file's basename directly inserted into the href attribute."}, {'type': 'paragraph', 'content': "If a file on disk has a basename starting with the javascript: URI scheme (for example, javascript:alert(1)), the generated HTML includes an anchor tag like <a href='javascript:alert(1)'>javascript:alert(1)</a>. Because the basename is inserted without validation or normalization, browsers interpret this as executable JavaScript."}, {'type': 'paragraph', 'content': 'When a user clicks such a link, arbitrary JavaScript runs in the context of the hosting application, resulting in a client-side XSS vulnerability. This allows an attacker who can create or upload files with malicious names starting with javascript: to inject executable scripts into directory listings.'}] [1]

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to the execution of arbitrary JavaScript in the browser of anyone viewing the directory listing generated by Rack::Directory. An attacker who can create or upload files with malicious names can exploit this to run scripts that may steal user data, hijack user sessions, or perform actions on behalf of the user.

The impact is considered moderate with a CVSS score of 5.4. It requires user interaction (clicking the malicious link) and low privileges to exploit, but it can compromise confidentiality and integrity of user data in the affected application context.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by checking if your Rack::Directory-generated HTML directory listings contain anchor tags with href attributes that start with the javascript: URI scheme. Such links indicate the presence of files whose basenames start with javascript:, which can lead to cross-site scripting (XSS) when clicked.'}, {'type': 'paragraph', 'content': 'To detect this on your system, you can inspect the directory listing HTML output for suspicious href values. For example, you can use command-line tools like curl or wget to fetch the directory listing and grep to search for javascript: links.'}, {'type': 'list_item', 'content': 'curl -s http://yourserver/directory/ | grep -i \'href="javascript:\''}, {'type': 'list_item', 'content': 'wget -qO- http://yourserver/directory/ | grep -i \'href="javascript:\''}, {'type': 'paragraph', 'content': "Additionally, you can scan your file system for files with basenames starting with 'javascript:' which could be exploited:"}, {'type': 'list_item', 'content': "find /path/to/served/directory -type f -name 'javascript:*'"}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include updating your Rack library to one of the patched versions: 2.2.22, 3.1.20, or 3.2.5, which fix the vulnerability by prefixing directory listing links with a relative path indicator to prevent execution of javascript: URIs.

If updating is not immediately possible, consider the following mitigations:

• Avoid exposing user-controlled directories via Rack::Directory to prevent attackers from uploading malicious filenames.
• Apply strict Content Security Policies (CSP) to limit or block client-side script execution from untrusted sources.
• Sanitize or restrict uploaded filenames to disallow dangerous URI schemes such as javascript:.

Useful 0 Not Useful 0