Moderate severityNVD Advisory· Published Feb 8, 2013· Updated Apr 29, 2026

CVE-2013-0262

Description

rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the intended root directory via a crafted PATH_INFO environment variable, probably a directory traversal vulnerability that is remotely exploitable, aka "symlink path traversals."

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
rackRubyGems	>= 1.5.0, < 1.5.2	1.5.2
rackRubyGems	>= 1.4.0, < 1.4.5	1.4.5

Affected products

Rack Project/Rack7 versions
cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*+ 6 more
- cpe:2.3:a:rack_project:rack:1.4.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.1:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.2:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.3:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.4.4:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.5.0:*:*:*:*:*:*:*
- cpe:2.3:a:rack_project:rack:1.5.1:*:*:*:*:*:*:*

Patches

6f237e4c9fab

Prevent symlink path traversals

https://github.com/rack/rackJames TuckerFeb 7, 2013via ghsa

commit

1 file changed · +6 −11

lib/rack/file.rb+6 −11 modified

@@ -41,19 +41,14 @@ def _call(env)
       path_info = Utils.unescape(env["PATH_INFO"])
       parts = path_info.split SEPS
 
-      parts.inject(0) do |depth, part|
-        case part
-        when '', '.'
-          depth
-        when '..'
-          return fail(404, "Not Found") if depth - 1 < 0
-          depth - 1
-        else
-          depth + 1
-        end
+      clean = []
+
+      parts.each do |part|
+        next if part.empty? || part == '.'
+        part == '..' ? clean.pop : clean << part
       end
 
-      @path = F.join(@root, *parts)
+      @path = F.join(@root, *clean)
 
       available = begin
         F.file?(@path) && F.readable?(@path)

Vulnerability mechanics

Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

secunia.com/advisories/52033nvdVendor Advisory
github.com/advisories/GHSA-85r7-w5mv-c849ghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2013-0262ghsaADVISORY
lists.opensuse.org/opensuse-updates/2013-03/msg00048.htmlnvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
bugzilla.redhat.com/show_bug.cginvdWEB
gist.github.com/rentzsch/4736940nvdWEB
github.com/rack/rack/blob/master/lib/rack/file.rbnvdWEB
github.com/rack/rack/commit/6f237e4c9fab649d3750482514f0fde76c56ab30nvdWEB
github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2013-0262.ymlghsaWEB
groups.google.com/forum/ghsaWEB
groups.google.com/forum/ghsaWEB
rack.github.comnvd
groups.google.com/forum/nvd
groups.google.com/forum/nvd

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.001
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000