Executive Summary

CVE-2026-34763 is a moderate severity vulnerability in the Ruby Rack library's Rack::Directory component affecting versions prior to 2.2.23, 3.1.21, and 3.2.6.

The vulnerability occurs because the configured root directory path is directly interpolated into a regular expression without escaping regex metacharacters like +, *, or . This causes the prefix stripping process to fail when generating directory listings.

As a result, the full absolute filesystem path is exposed in the HTML directory listing output instead of the intended relative path.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to disclosure of the full server filesystem path, revealing sensitive internal deployment details such as directory structure, usernames, mount points, and naming conventions.

Such information leakage can aid attackers in conducting further reconnaissance or launching targeted attacks against the system.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if your Rack::Directory component is exposing full filesystem paths in the HTML directory listings. Specifically, if the configured root path contains regex metacharacters such as +, *, or ., the directory listing may leak the absolute filesystem path.

To detect this on your system, you can perform HTTP requests to endpoints served by Rack::Directory and inspect the HTML output for full filesystem paths.

Example command using curl to fetch a directory listing and grep for filesystem paths:

• curl -s http://yourserver/directory/ | grep -E '/[a-zA-Z0-9_/\.-]+'

Additionally, you can check the version of the Rack library installed to see if it is prior to the patched versions (2.2.23, 3.1.21, 3.2.6):

• ruby -e "require 'rack'; puts Rack.release"

If the version is vulnerable, and the root path contains regex metacharacters, the vulnerability is likely present.

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation steps are to upgrade the Rack library to one of the patched versions: 2.2.23, 3.1.21, or 3.2.6 or later.

Additionally, avoid configuring Rack::Directory with root paths that contain regex metacharacters such as +, *, or . to prevent the regex prefix stripping failure.

These steps will prevent the exposure of full filesystem paths in directory listings and eliminate the information disclosure risk.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability causes disclosure of the full server filesystem path in HTML directory listings, which can reveal sensitive internal deployment details such as directory structure, usernames, mount points, and naming conventions.

Such information leakage may increase the risk of targeted attacks or further reconnaissance by malicious actors, potentially impacting the confidentiality of data.

While the vulnerability itself does not directly compromise data integrity or availability, the exposure of sensitive internal information could indirectly affect compliance with standards like GDPR or HIPAA, which require protection of sensitive information and minimization of data exposure risks.

Useful 0 Not Useful 0