CVE-2026-22860: Rack Directory Traversal Flaw Exposes Sensitive Files via Root Prefix Bypass

Aegiron 9 mins0

Rack Rack::Directory – Directory Traversal (Root Prefix Bypass)

CVE ID: CVE-2026-22860
Component: Rack (Rack::Directory)
Vulnerability Type: Directory Traversal / Information Disclosure
CWE Mapping: CWE-22 (Path Traversal), CWE-548 (Information Exposure via Directory Listing)
CVSS v3.1 Base Score: 7.5 (High)
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
Exploitability: Practical and easy to reproduce
Public Exploit: No widespread exploit kit observed, but manual exploitation is straightforward

Overview

A directory traversal issue was identified in the Rack::Directory middleware. The vulnerability was caused by improper validation of file system paths when serving directory listings. A flawed prefix-based path check allowed certain paths outside the configured root directory to pass validation if they shared the same leading characters.

The issue did not allow direct remote code execution. However, sensitive directories adjacent to the intended web root could have been exposed if their names shared a common prefix.

This vulnerability primarily resulted in unintended disclosure of directory contents and file names. In some environments, depending on file permissions and application behavior, file content exposure could also occur.

Technical Root Cause

The issue stemmed from how path validation was implemented.

The middleware performed a check similar to:

expanded_path.start_with?(root)

This approach assumed that if a path started with the root string, it was safe. However, this logic failed when sibling directories shared the same prefix.

Example Scenario

Configured root:

/var/www/root

Existing directory:

/var/www/root_backup

A crafted request:

GET /../root_backup/

After path expansion, the resolved path:

/var/www/root_backup

Because /var/www/root_backup starts with /var/www/root, the validation passed incorrectly.

Proper boundary validation was missing. The fix introduced stricter checks to ensure that the expanded path either:

  • Exactly matched the root, or
  • Started with the root followed by a path separator

This prevented prefix-based bypass.

Affected Versions

The vulnerability affected:

  • Versions prior to 2.2.22
  • Versions ≥ 3.0.0.beta1 and < 3.1.20
  • Versions ≥ 3.2.0 and < 3.2.5

Patched Versions

The issue was resolved in:

  • 2.2.22
  • 3.1.20
  • 3.2.5

Official Patch / Upgrade Link

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

Upgrading the rack gem to one of the patched versions fully mitigates the vulnerability.

Exploitation Details

The vulnerability could be exploited remotely without authentication. Only an HTTP request was required.

Conditions Required

  • Rack::Directory middleware exposed to untrusted users
  • A sibling directory sharing the same prefix as the configured root
  • Read permissions granted to the Rack process

Proof of Concept (Educational)

Basic traversal attempt:

GET /../root_backup/ HTTP/1.1
Host: vulnerable.host

URL-encoded variants:

GET /%2e%2e/root_backup/
GET /..%2Froot_backup%2F
GET /%2e%2e%2Froot_backup%2F

Indicators of successful exploitation:

  • HTTP 200 response
  • HTML directory listing
  • Display of unexpected file names
  • Exposure of configuration files or backups

No automated exploit framework is required. Manual testing with curl or a browser is sufficient.

Attack Impact

If successfully exploited, the following may occur:

  • Disclosure of directory structures
  • Exposure of backup folders
  • Leakage of configuration files
  • Disclosure of private keys (if improperly stored)
  • Credential exposure
  • Source code exposure

The vulnerability does not modify files and does not execute code directly. The risk lies in information disclosure that may enable further compromise.

Detection and Monitoring

Log Sources to Monitor

  • Web server access logs (Apache, Nginx)
  • Reverse proxy logs
  • Application request logs
  • WAF logs
  • IDS/IPS alerts
  • SIEM aggregated logs

Indicators of Compromise

  • Requests containing ../
  • URL encoded traversal patterns (%2e%2e)
  • Requests targeting non-public directories
  • Directory listing responses where none should exist
  • Unexpected HTTP 200 responses for traversal paths

Detection Rules

Suricata Rule – Basic Traversal

alert http any any -> any any (
msg:"Possible Rack Directory Traversal Attempt";
flow:established,to_server;
http.uri;
content:"../";
nocase;
classtype:web-application-attack;
sid:900001;
rev:1;
)

Suricata Rule – Encoded Traversal

alert http any any -> any any (
msg:"Encoded Directory Traversal Attempt";
flow:established,to_server;
pcre:"/(\.\.|%2e%2e)(\/|%2f)/i";
http.uri;
classtype:web-application-attack;
sid:900002;
rev:1;
)

Snort Rule

alert tcp any any -> any 80 (
msg:"HTTP Directory Traversal Attempt";
flow:to_server,established;
content:"../";
http_uri;
nocase;
sid:900003;
rev:1;
)

Splunk Query

index=web sourcetype=access_combined 
(uri_path="*/../*" OR uri_path="*/%2e%2e/*")
| stats count by src_ip, uri_path, status
| where count > 5

Elastic (KQL)

http.request.method: "GET" AND 
(http.request.uri: "*../*" OR http.request.uri: "*%2e%2e*")

Generic WAF Pattern

Block requests matching:

(\.\.|%2e%2e)(\/|%2f)

Incident Response Guidance

  1. Identify affected Rack versions in deployed environments.
  2. Search historical logs for traversal indicators.
  3. Confirm whether directory listing responses were returned.
  4. Determine whether sensitive files were accessed.
  5. Immediately upgrade to patched versions.
  6. Rotate credentials if sensitive files may have been exposed.
  7. Restrict file system permissions for application processes.
  8. Remove public exposure of Rack::Directory if not required.

Mitigation and Hardening

  • Upgrade Rack immediately.
  • Disable Rack::Directory if not required.
  • Avoid predictable directory naming patterns.
  • Enforce least privilege file permissions.
  • Implement strict WAF filtering.
  • Monitor directory listing responses.

Risk Assessment

This vulnerability carries a High severity rating because:

  • It is remotely exploitable.
  • No authentication is required.
  • Exploitation complexity is low.
  • Sensitive information may be exposed.
  • It can serve as a stepping stone for deeper attacks.

While it does not directly allow code execution, the exposure of configuration files or secrets could escalate impact significantly.

Final Recommendation

All environments running vulnerable versions of Rack should be upgraded immediately to:

  • 2.2.22
  • 3.1.20
  • 3.2.5

Official patch commit:

https://github.com/rack/rack/commit/75c5745c286637a8f049a33790c71237762069e7

Security validation testing should be performed after patching by replaying traversal payloads to ensure proper enforcement.

Aegiron

Backed by 11+ years in cybersecurity and incident response, we decode the latest threats shaping today’s digital battlefield. This blog cuts through the noise with clear insights on vulnerabilities, emerging exploits, and the cyber news defenders can’t afford to miss.