Local File Inclusion in Rack::Static (CVE-2025-27610)
This week, a security vulnerability in Rack was disclosed. It affects only users of the Rack::Static middleware, which is not used by default in Rails applications.
Impact
If your app uses Rack::Static like this:
use Rack::Static, urls: ["/media"]
it is intended to serve files from the ./media directory. However, specially crafted requests could trick the middleware into serving arbitrary files from ..
Fix
We have released new versions of Rack (1.4.7.22, 1.6.13.20, 2.2.13.10) to address this vulnerability.
(Note: For Rails 5 and 6 LTS, this will also increase your Rails LTS version, but there are no additional changes.)
Best
- the Rails LTS team
|
