Ce mail provient de l'extérieur, restons vigilants

=====================================================================

                            CERT-Renater

                Note d'Information No. 2026/VULN180
_____________________________________________________________________

DATE                : 17/02/2026

HARDWARE PLATFORM(S): /

OPERATING SYSTEM(S): Systems running rack (RubyGems) versions prior
                             to 2.2.22, 3.1.20, 3.2.5.

=====================================================================
https://github.com/rack/rack/security/advisories/GHSA-mxw3-3hh2-x2mh
https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
_____________________________________________________________________


Directory Traversal via Rackirectory
High
ioquatix published GHSA-mxw3-3hh2-x2mh Feb 16, 2026

Package
rack (RubyGems)

Affected versions
< 2.2.22
>= 3.0, < 3.1.20
>= 3.2, < 3.2.5

Patched versions
2.2.22
3.1.20
3.2.5


Description

Summary

Rack:irectory’s path check used a string prefix match on the
expanded path. A request like /../root_example/ can escape the
configured root if the target path starts with the root string,
allowing directory listing outside the intended root.
Details

In directory.rb, File.expand_path(File.join(root,
path_info)).start_with?(root) does not enforce a path boundary. If the
server root is /var/www/root, a path like /var/www/root_backup passes
the check because it shares the same prefix, so Rack:irectory will
list that directory also.


Impact

Information disclosure via directory listing outside the configured
root when Rack:irectory is exposed to untrusted clients and a
directory shares the root prefix (e.g., public2, www_backup).
Mitigation

    Update to a patched version of Rack that correctly checks the root
prefix.
    Don't name directories with the same prefix as one which is
exposed via Rack:irectory.


Severity
High
7.5/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CVE ID
CVE-2026-22860

Weaknesses
Weakness CWE-22

Weakness CWE-548
Credits

    @Masamuneee Masamuneee Reporter
    @ioquatix ioquatix Coordinator

_____________________________________________________________________


XSS injection via malicious filename in `Rack:irectory`.
Moderate
ioquatix published GHSA-whrj-4476-wvmp Feb 16, 2026

Package
rack (RubyGems)

Affected versions
< 2.2.22
>= 3.0, < 3.1.20
>= 3.2, < 3.2.5

Patched versions
2.2.22
3.1.20
3.2.5


Description

Summary

Rack:irectory generates an HTML directory index where each file
entry is rendered as a clickable link. If a file exists on disk whose
basename begins with the javascript: scheme (e.g.
javascript:alert(1)), the generated index includes an anchor whose
href attribute is exactly javascript:alert(1). Clicking this entry
executes arbitrary JavaScript in the context of the hosting
application.

This results in a client-side XSS condition in directory listings
generated by Rack:irectory.


Details

Rack:irectory renders directory entries using an HTML row template
similar to:

<a href='%s'>%s</a>

The %s placeholder is populated directly with the file’s basename. If
the basename begins with javascript:, the resulting HTML contains an
executable JavaScript URL:

<a href='javascript:alert(1)'>javascript:alert(1)</a>

Because the value is inserted directly into the href attribute without
scheme validation or normalization, browsers interpret it as a
JavaScript URI. When a user clicks the link, the JavaScript executes
in the origin of the Rack application.


Impact

If Rack:irectory is used to expose filesystem contents over HTTP, an
attacker who can create or upload files within that directory may
introduce a malicious filename beginning with javascript:.

When a user visits the directory listing and clicks the entry,
arbitrary JavaScript executes in the application's origin.
Exploitation requires user interaction (clicking the malicious entry).


Mitigation

    Update to a patched version of Rack in which Rack:irectory
prefixes generated anchors with a relative path indicator (e.g.
./filename).
    Avoid exposing user-controlled directories via Rack:irectory.
    Apply a strict Content Security Policy (CSP) to reduce impact of
potential client-side execution issues.
    Where feasible, restrict or sanitize uploaded filenames to
disallow dangerous URI scheme prefixes.


Severity
Moderate
5.4/ 10

CVSS v3 base metrics
Attack vector
Network
Attack complexity
Low
Privileges required
Low
User interaction
Required
Scope
Changed
Confidentiality
Low
Integrity
Low
Availability
None
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N

CVE ID
CVE-2026-25500

Weaknesses
Weakness CWE-79


Credits

    @thesmartshadow thesmartshadow Reporter
    @jeremyevans jeremyevans Remediation developer
    @ioquatix ioquatix Coordinator



=========================================================
+ CERT-RENATER        |    tel : 01-53-94-20-44         +
+ 23/25 Rue Daviel    |    fax : 01-53-94-20-41         +
+ 75013 Paris         |   email:cert@support.renater.fr +
=========================================================