CVE-2026-34763
Information Disclosure via Regex Path Handling in Rack::Directory
Publication date: 2026-04-02
Last updated on: 2026-04-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| rack | rack | From 3.0.0 (inc) to 3.1.21 (exc) |
| rack | rack | From 3.2.0 (inc) to 3.2.6 (exc) |
| rack | rack | to 2.2.23 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-625 | The product uses a regular expression that does not sufficiently restrict the set of allowed values. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-34763 is a moderate severity vulnerability in the Ruby Rack library's Rack::Directory component affecting versions prior to 2.2.23, 3.1.21, and 3.2.6.
The vulnerability occurs because the configured root directory path is directly interpolated into a regular expression without escaping regex metacharacters like +, *, or . This causes the prefix stripping process to fail when generating directory listings.
As a result, the full absolute filesystem path is exposed in the HTML directory listing output instead of the intended relative path.
How can this vulnerability impact me? :
This vulnerability can lead to disclosure of the full server filesystem path, revealing sensitive internal deployment details such as directory structure, usernames, mount points, and naming conventions.
Such information leakage can aid attackers in conducting further reconnaissance or launching targeted attacks against the system.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if your Rack::Directory component is exposing full filesystem paths in the HTML directory listings. Specifically, if the configured root path contains regex metacharacters such as +, *, or ., the directory listing may leak the absolute filesystem path.
To detect this on your system, you can perform HTTP requests to endpoints served by Rack::Directory and inspect the HTML output for full filesystem paths.
Example command using curl to fetch a directory listing and grep for filesystem paths:
- curl -s http://yourserver/directory/ | grep -E '/[a-zA-Z0-9_/\.-]+'
Additionally, you can check the version of the Rack library installed to see if it is prior to the patched versions (2.2.23, 3.1.21, 3.2.6):
- ruby -e "require 'rack'; puts Rack.release"
If the version is vulnerable, and the root path contains regex metacharacters, the vulnerability is likely present.
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation steps are to upgrade the Rack library to one of the patched versions: 2.2.23, 3.1.21, or 3.2.6 or later.
Additionally, avoid configuring Rack::Directory with root paths that contain regex metacharacters such as +, *, or . to prevent the regex prefix stripping failure.
These steps will prevent the exposure of full filesystem paths in directory listings and eliminate the information disclosure risk.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability causes disclosure of the full server filesystem path in HTML directory listings, which can reveal sensitive internal deployment details such as directory structure, usernames, mount points, and naming conventions.
Such information leakage may increase the risk of targeted attacks or further reconnaissance by malicious actors, potentially impacting the confidentiality of data.
While the vulnerability itself does not directly compromise data integrity or availability, the exposure of sensitive internal information could indirectly affect compliance with standards like GDPR or HIPAA, which require protection of sensitive information and minimization of data exposure risks.