-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AIMiggo AIRoot Cause AnalysisThe vulnerability in Rack is a classic 'Confused Deputy' problem where the Rack::Sendfile middleware improperly trusts headers sent from an external client. The root cause is twofold:
Unsafe Header Reading in variation: The variation method unconditionally read the HTTP_X_SENDFILE_TYPE header from the request. This allowed an attacker to enable the x-accel-redirect feature, which is intended for server-to-server communication, by simply sending a crafted header.
Unsafe Header Reading in map_accel_path: Similarly, the map_accel_path method read the HTTP_X_ACCEL_MAPPING header. When an attacker enabled x-accel-redirect via the first vulnerability, they could then use this second vulnerability to control how the proxy server maps and redirects internal requests, allowing them to access protected endpoints.
The call method is the orchestrator of this process and serves as the entry point for the middleware, making it a key part of the vulnerable execution flow.
The patch addresses this by removing the code that reads HTTP_X_SENDFILE_TYPE from the request headers, forcing this behavior to be explicitly configured in the application's code. It also introduces a new function, x_accel_mapping, which adds checks to ensure that the HTTP_X_ACCEL_MAPPING header is only used when x-accel-redirect has been safely enabled in the configuration, and not by a potentially malicious request.
RubyRuby| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| rack | rubygems | < 2.2.20 | 2.2.20 |
| rack | rubygems | >= 3.0, < 3.1.18 | 3.1.18 |
| rack | rubygems |
| >= 3.2, < 3.2.3 |
| 3.2.3 |
Ongoing coverage of React2Shell