CVE-2026-34830 Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not...

CVE-2026-34830

Rack-118: CVE-2026-34830 — In Rack (Rack::Sendfile#map_accel_path), the X-Accel-Mapping header is interpolated directly into a regex when rewriting X-Accel-Redirect paths. This unescaped input can let an attacker inject regex metacharacters and influence the X-Accel-Redirect header, potentially c...

CVE-2026-34830

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not...

PT-2026-29818

Name of the Vulnerable Software and Affected Versions Rack versions prior to 2.2.23, 3.1.21, and 3.2.6 Description Rack’s Rack::Sendfilemap accel path function directly uses the X-Accel-Mapping request header value in a regular expression for rewriting file paths used with X-Accel-Redirect. Becau...

PT-2026-29922

Summary Rack::Sendfilemap accel path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect

Summary Rack::Sendfilemapaccelpath interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: rubygem-rack (UTSA-2026-005939)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-005939 advisory. Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type header. An attacker can exploit th...

Security Bulletin: Multiple vulnerabilities in IBM Aspera Console

Summary Multiple vulnerabilities were addressed in IBM Aspera Console version 3.4.8. Vulnerability Details CVEID:CVE-2025-61780 DESCRIPTION: Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in...

Security update for rubygem-rack

This update for rubygem-rack fixes the following issues: Update to version 2.2.20 bsc1251936 CVE-2025-61919: Fixed application/x-www-form-urlencoded, callingrack.input.readnil without enforcing a length or cap bsc1251936 CVE-2025-61780: Fixed improper handling of headers in Rack::Sendfile allows...

Information Disclosure

rack is vulnerable to Information Disclosure. The vulnerability is due to trusting unvalidated x-sendfile-type and x-accel-mapping headers, allowing attackers to craft headers that trick the proxy into making internal requests and bypassing access controls...

[SECURITY] [DLA 4357-1] ruby-rack security update

----------------------------------------------------------------------- Debian LTS Advisory DLA-4357-1 [email protected] https://www.debian.org/lts/security/ Utkarsh Gupta November 01, 2025 https://wiki.debian.org/LTS -...

Ruby RACK < 2.2.20 / 3.x < 3.1.18 / 3.2 < 3.2.3 Multiple Vulnerabilities

The version of the RACK Ruby library installed on the remote host is prior to 2.2.20 / 3.1.18 / 3.2.3. It is, therefore, affected by the following vulnerabilities: - Rack::RequestPOST reads the entire request body into memory for Content-Type: application/x-www-form-urlencoded, calling...

Linux Distros Unpatched Vulnerability : CVE-2025-61780

"The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in...

CVE-2025-61780

A potential information disclosure vulnerability has been identified in the RubyGem Rack affecting Rack::Sendfile when used behind a proxy that supports x-sendfile headers e.g., Nginx. When processing untrusted x-sendfile-type or x-accel-mapping headers, the middleware could misinterpret them as...

SUSE CVE-2025-61780

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers such as Nginx. Specially crafted headers could cause Rack::Sendfile to...

Information Exposure

Overview rack is a minimal, modular and adaptable interface for developing web applications in Ruby. By wrapping HTTP requests and responses in the simplest way possible, it unifies and distills the API for web servers, web frameworks, and software in between the so-called middleware into a singl...

GHSA-R657-RXJC-J557 Rack has a Possible Information Disclosure Vulnerability

Summary A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers such as Nginx. Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially...

Rack has a Possible Information Disclosure Vulnerability

Summary A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers such as Nginx. Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially...

DEBIAN-CVE-2025-61780

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers such as Nginx. Specially crafted headers could cause Rack::Sendfile to...

CVE-2025-61780

Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers such as Nginx. Specially crafted headers could cause Rack::Sendfile to...