pkg:RubyGems/rack

50 total CVEsCRITICAL1HIGH23MEDIUM19

✅ Check your installed version

All known vulnerabilities

  • CRITICAL10.0CVE-2022-30123Possible shell escape sequence injection vulnerability in Rack
    from 0, < 2.0.9.1
  • HIGH8.6CVE-2020-8161ruby-rack - security update
    from 0, < 2.1.3
  • HIGH7.5CVE-2026-34829Rack's multipart parsing without Content-Length header allows unbounded chunked file uploads
    from 0, < 2.2.23
  • HIGH7.5CVE-2026-34230Rack has quadratic complexity in Rack::Utils.select_best_encoding via wildcard Accept-Encoding header
    from 0, < 2.2.23
  • HIGH7.5CVE-2026-34827Rack's multipart header parsing allows Denial of Service via escape-heavy quoted parameters
    >= 3.0.0.beta1, < 3.1.21
  • HIGH7.5CVE-2026-34785Rack::Static prefix matching can expose unintended files under the static root
    from 0, < 2.2.23
  • HIGH7.5CVE-2026-22860ruby-rack - security update
    from 0, < 2.2.22
  • HIGH7.5CVE-2025-61919Rack is vulnerable to a memory-exhaustion DoS through unbounded URL-encoded body parsing
    from 0, < 2.2.20
  • HIGH7.5CVE-2025-61772Rack's multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion)
    from 0, < 2.2.19
  • HIGH7.5CVE-2025-61771Rack: Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion)
    from 0, < 2.2.19
  • HIGH7.5CVE-2025-61770Rack's unbounded multipart preamble buffering enables DoS (memory exhaustion)
    from 0, < 2.2.19
  • HIGH7.5CVE-2025-59830Rack has an unsafe default in Rack::QueryParser allows params_limit bypass via semicolon-separated parameters
    from 0, < 2.2.18
  • HIGH7.5CVE-2025-46727Rack has an Unbounded-Parameter DoS in Rack::QueryParser
    from 0, < 2.2.14
  • HIGH7.5CVE-2025-27610Local File Inclusion in Rack::Static
    from 0, < 2.2.13
  • HIGH7.5CVE-2025-27111Escape Sequence Injection vulnerability in Rack lead to Possible Log Injection
    from 0, < 2.2.12
  • HIGH7.5CVE-2024-26141Rack has possible DoS Vulnerability with Range Header
    >= 3.0.0, < 3.0.9.1
  • HIGH7.5CVE-2024-26146Rack Header Parsing leads to Possible Denial of Service Vulnerability
    >= 3.0.0, < 3.0.9.1
  • HIGH7.5CVE-2023-27530ruby-rack - security update
    from 0, < 2.0.9.3
  • HIGH7.5CVE-2022-44571Denial of Service Vulnerability in Rack Content-Disposition parsing
    >= 2.0.0, < 2.0.9.2
  • HIGH7.5CVE-2022-44570Denial of service via header parsing in Rack
    >= 1.5.0, < 2.0.9.2
  • HIGH7.5CVE-2022-44572Denial of service via multipart parsing in Rack
    >= 2.0.0, < 2.0.9.2
  • HIGH7.5CVE-2022-30122ruby-rack - security update
    >= 1.2, < 2.0.9.1
  • HIGH7.5CVE-2020-8184Rack allows Percent-encoded cookies to overwrite existing prefixed cookie names
    from 0, < 2.1.4
  • HIGH7.5CVE-2018-16470Rack vulnerable to Denial of Service
    >= 2.0.4, < 2.0.6
  • MEDIUM6.5CVE-2025-25184ruby-rack - security update
    from 0, < 2.2.11
  • MEDIUM6.5CVE-2024-39316Rack ReDoS Vulnerability in HTTP Accept Headers Parsing
    >= 3.1.0, < 3.1.5
  • MEDIUM6.3CVE-2019-16782Possible Information Leak / Session Hijack Vulnerability in Rack
    from 0, < 1.6.12
  • MEDIUM6.1CVE-2018-16471ruby-rack - security update
    >= 2.0.0, < 2.0.6
  • MEDIUM5.9CVE-2026-34830Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect
    from 0, < 2.2.23
  • MEDIUM5.8CVE-2025-61780Rack has a Possible Information Disclosure Vulnerability
    from 0, < 2.2.20
  • MEDIUM5.4CVE-2026-25500Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
    from 0, < 2.2.22
  • MEDIUM5.3CVE-2026-34763Rack has a root directory disclosure via unescaped regex interpolation in Rack::Directory
    from 0, < 2.2.23
  • MEDIUM5.3CVE-2026-26961Rack's greedy multipart boundary parsing can cause parser differentials and WAF bypass.
    from 0, < 2.2.23
  • MEDIUM5.3CVE-2026-34826Rack's multipart byte range processing allows denial of service via excessive overlapping ranges
    from 0, < 2.2.23
  • MEDIUM5.3CVE-2026-34786Rack:: Static header_rules bypass via URL-encoded paths
    from 0, < 2.2.23
  • MEDIUM5.3CVE-2025-49007ReDoS Vulnerability in Rack::Multipart handle_mime_head
    >= 3.1.0, < 3.1.16
  • MEDIUM5.3CVE-2024-25126ruby-rack - security update
    >= 3.0.0, < 3.0.9.1
  • MEDIUM5.3CVE-2023-27539Possible Denial of Service Vulnerability in Rack's header parsing
    >= 2.0.0, < 2.2.6.4
  • MEDIUM4.8CVE-2026-34835Rack::Request accepts invalid Host characters, enabling host allowlist bypass
    >= 3.0.0.beta1, < 3.1.21
  • MEDIUM4.8CVE-2026-34831Rack has Content-Length mismatch in Rack::Files error responses
    from 0, < 2.2.23
  • MEDIUM4.8CVE-2026-32762Rack: Forwarded Header semicolon injection enables Host and Scheme spoofing
    >= 3.0.0.beta1, < 3.1.21
  • MEDIUM4.8CVE-2026-26962Rack's improper unfolding of folded multipart headers preserves CRLF in parsed parameter values
    >= 3.2.0, < 3.2.6
  • MEDIUM4.2CVE-2025-32441Rack session gets restored after deletion
    from 0, < 2.2.14
  • CVE-2011-5036librack-ruby - several
    from 0, < 1.1.3
  • CVE-2013-0263Rack arbitrary code execution via timing attack
    >= 1.5.0, < 1.5.2
  • CVE-2013-0184Rack vulnerable to Denial of Service
    >= 1.1.0, < 1.1.5
  • CVE-2012-6109Rack vulnerable to REDoS
    from 0, < 1.1.4
  • CVE-2013-0262Rack Vulnerable to Path Traversal
    >= 1.5.0, < 1.5.2
  • CVE-2013-0183Rack rubygems receiving excessively long lines triggers out-of-memory error
    >= 1.3.0, < 1.3.8
  • CVE-2015-3225ruby-rack - security update
    >= 1.5.0, < 1.5.4