CVE-2026-34763

MEDIUM5.3EPSS 0.04%

Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory

Published: 4/2/2026Modified: 5/13/2026

Description

## Summary `Rack::Directory` interpolates the configured `root` path directly into a regular expression when deriving the displayed directory path. If `root` contains regex metacharacters such as `+`, `*`, or `.`, the prefix stripping can fail and the generated directory listing may expose the full filesystem path in the HTML output. ## Details `Rack::Directory::DirectoryBody#each` computes the visible path using code equivalent to: ```ruby show_path = Utils.escape_html(path.sub(/\A#{root}/, '')) ``` Here, `root` is a developer-configured filesystem path. It is normalized earlier with `File.expand_path(root)` and then inserted directly into a regular expression without escaping. Because the value is treated as regex syntax rather than as a literal string, metacharacters in the configured path can change how the prefix match behaves. When that happens, the expected root prefix is not removed from `path`, and the absolute filesystem path is rendered into the HTML directory listing. ## Impact If `Rack::Directory` is configured to serve a directory whose absolute path contains regex metacharacters, the generated directory listing may disclose the full server filesystem path instead of only the request-relative path. This can expose internal deployment details such as directory layout, usernames, mount points, or naming conventions that would otherwise not be visible to clients. ## Mitigation * Update to a patched version of Rack in which the root prefix is removed using an escaped regular expression. * Avoid using `Rack::Directory` with a root path that contains regular expression metacharacters.

Affected packages (2)

CVSS scores

SourceVersionSeverityVector
osvCVSS 3.1MEDIUM5.3CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)