25 matches found
The vulnerability of the modular interface of the Ruby-based Rack web server allows a perpetrator to gain unauthorized access to protected information.
The vulnerability of the Ruby-based Rack web server’s modular interface is related to partial comparison. Exploiting this vulnerability can allow an attacker, operating remotely, to gain unauthorized access to protected information...
The vulnerability of the modular interface of the Ruby-based Rack web server allows a hacker to trigger a service failure.
The vulnerability of the modular interface of the Ruby-based Rack web server is related to uncontrolled resource consumption. Exploiting this vulnerability can allow a malicious actor to cause service failures...
UBUNTU-CVE-2026-26962
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename o...
CVE-2026-34230
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.selectbestencoding processes Accept-Encoding values with quadratic time complexity when the header contains many wildcard entries. Because this method is used by Rack::Deflater to choose a respon...
CVE-2026-26962 Rack: Header injection in multipart requests
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded multipart part headers incorrectly. When a multipart header contains an obs-fold sequence, Rack preserves the embedded CRLF in parsed parameter values such as filename o...
CVE-2026-34829
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the request body in a BoundedIO when CONTENTLENGTH is present. When a multipart/form-data request is sent without a Content-Length header, such as with HTTP chunked transfe...
PT-2026-29812
Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack::Static uses a simple string prefix check to determine if a request should be served as a static file. When configured with URL prefixes like "/css", it matches any request path...
CVE-2026-22860
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a string prefix match on the expanded path. A request like /../rootexample/ can escape the configured root if the target path starts with the root string, allowing directory...
EUVD-2024-2325
Malicious code in bioql PyPI...
EUVD-2024-0516
Malicious code in bioql PyPI...
EUVD-2024-0462
Malicious code in bioql PyPI...
EUVD-2024-0768
Malicious code in bioql PyPI...
TencentOS Server 3: pcs (TSSA-2024:0388)
The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by multiple vulnerabilities as referenced in the TSSA-2024:0388 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities...
CVE-2025-32441 Rack session gets restored after deletion
Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the...
CVE-2025-32441
Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the Rack::Session::Pool middleware, simultaneous rack requests can restore a deleted rack session, which allows the unauthenticated user to occupy that session. Rack session middleware prepares the session at the...
PT-2025-20315 · Nginx +10 · Nginx +10
Name of the Vulnerable Software and Affected Versions: Rack versions prior to 2.2.14, 3.0.16, and 3.1.14 Description: Rack is a modular Ruby web server interface. The Rack::QueryParser parses query strings and application/x-www-form-urlencoded bodies into Ruby data structures without imposing any...
CVE-2025-27111
Rack is a Ruby web-server interface. The Rack::Sendfile middleware logs unsanitised header values from X-Sendfile-Type, enabling log injection when an attacker injects escape sequences (e.g., newline characters) into that header. Affected versions are fixed in Rack 2.2.12, 3.0.13, and 3.1.11. Pra...
CVE-2024-45614 Header normalization allows for client to clobber proxy set headers in Puma
Puma is a Ruby/Rack web server built for parallelism. In affected versions clients could clobber values set by intermediate proxies such as X-Forwarded-For by providing a underscore version of the same header X-ForwardedFor. Any users relying on proxy set variables is affected. v6.4.3/v5.6.9 now...
Internet Bug Bounty: Possible DoS Vulnerability with Range Header in Rack
A potential denial-of-service vulnerability was discovered in the Rack web server interface for Ruby. The vulnerability was assigned the CVE identifier CVE-2024-26141 and affected versions of Rack 1.3.0 and later. The vulnerability was caused by carefully crafted Range request headers, which coul...
CVE-2024-25126
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take much longer than expected, leading to a possible denial of service vulnerability ReDos 2nd degree polynomial. This vulnerability is patched in 3.0.9.1 and 2.2.8.1...