Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme (e.g. javascript:alert(1)), the generated index contains an anchor whose href is exactly javascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated with alert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
rackRubyGems | < 2.2.22 | 2.2.22 |
rackRubyGems | >= 3.0.0.beta1, < 3.1.20 | 3.1.20 |
rackRubyGems | >= 3.2.0, < 3.2.5 | 3.2.5 |
Affected products
1Patches
1f2f225f297b9XSS injection via malicious filename in `Rack::Directory`.
3 files changed · +3 −2
CHANGELOG.md+1 −0 modified@@ -8,6 +8,7 @@ All notable changes to this project will be documented in this file. For info on - [CVE-2025-61780](https://github.com/advisories/GHSA-r657-rxjc-j557) Improper handling of headers in `Rack::Sendfile` may allow proxy bypass. - [CVE-2025-61919](https://github.com/advisories/GHSA-6xw4-3v39-52mm) Unbounded read in `Rack::Request` form parsing can lead to memory exhaustion. +- [CVE-2026-25500](https://github.com/advisories/GHSA-whrj-4476-wvmp) XSS injection via malicious filename in `Rack::Directory`. ### SPEC Changes
lib/rack/directory.rb+1 −1 modified@@ -22,7 +22,7 @@ module Rack # the response. class Directory - DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n" + DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n" DIR_PAGE_HEADER = <<-PAGE <html><head> <title>%s</title>
test/spec_directory.rb+1 −1 modified@@ -46,7 +46,7 @@ def setup res.must_be :ok? assert_includes(res.body, '<html><head>') - assert_includes(res.body, "href='cgi") + assert_includes(res.body, "href='./cgi") end it "serve directory indices" do
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-whrj-4476-wvmpghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-25500ghsaADVISORY
- github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40affghsax_refsource_MISCWEB
- github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmpghsax_refsource_CONFIRMWEB
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.ymlghsaWEB
News mentions
0No linked articles in our index yet.