CVE-2025-27610

Summary

CVE-2025-27610 is a vulnerability affecting the `Rack:Static` component of the Rack web application development framework prior to versions 2.2.13, 3.0.14, and 3.1.12. This issue allows an attacker to access files outside the designated static file directory by providing maliciously crafted paths to `Rack:Static`. The vulnerability arises due to `Rack:Static` failing to properly sanitize user-supplied paths before serving files, enabling path traversal sequences to bypass the designated directory. Consequently, an attacker can potentially gain unauthorized access to all files within the specified `root` directory. To address this, users are advised to update to version 2.2.13, 3.0.14, or 3.1.12, or consider removing `Rack:Static` usage entirely. Additionally, ensuring that `root` points to a restricted directory can help mitigate the risk. Employing a Content Delivery Network (CDN) or similar static file server can also effectively mitigate the issue.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.