Rack has a Possible Information Disclosure Vulnerability

Description

Summary

A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.

Details

When Rack::Sendfile received untrusted x-sendfile-type or x-accel-mapping headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy's access controls.

An attacker could exploit this by:
1. Setting a crafted x-sendfile-type: x-accel-redirect header.
2. Setting a crafted x-accel-mapping header.
3. Requesting a path that qualifies for proxy-based acceleration.

Impact

Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes.

This issue only affected systems meeting all of the following conditions:

  • The application used Rack::Sendfile with a proxy that supports x-accel-redirect (e.g., Nginx).
  • The proxy did not always set or remove the x-sendfile-type and x-accel-mapping headers.
  • The application exposed an endpoint that returned a body responding to .to_path.

Mitigation

  • Upgrade to a fixed version of Rack which requires explicit configuration to enable x-accel-redirect:

ruby use Rack::Sendfile, "x-accel-redirect"

  • Alternatively, configure the proxy to always set or strip the headers (you should be doing this!):

nginx proxy_set_header x-sendfile-type x-accel-redirect; proxy_set_header x-accel-mapping /var/www/=/files/;

  • Or in Rails applications, disable sendfile completely:

ruby config.action_dispatch.x_sendfile_header = nil

Basic information

Type
reviewed
Severity
medium
Advisory on GitHub
Open advisory ↗
Repository advisory
Open repository advisory ↗
Source code
Browse source ↗
Published (advisory)
2025-10-10 17:31:31 UTC
Updated
2025-10-13 15:45:11 UTC
GitHub reviewed
2025-10-10 17:31:31 UTC
NVD published
2025-10-10

EPSS Score

Score Percentile
0.03% 10.01%

CVSS Scores

Base score Version Severity Vector
5.8 3.1
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N Click to expand
Attack vector (AV:N)
Could be attacked over the internet or any normal routed network—not just someone sitting at the machine.
Attack complexity (AC:L)
Once they can reach the bug, pulling it off is straightforward—no weird race conditions or rare setup.
Privileges required (PR:N)
No account or special rights needed—anonymous or random user is enough.
User interaction (UI:N)
Nobody has to click “OK” or open a trap file; it can work without a victim helping.
Scope (S:C)
Breaking this can reach past the original component and bite other resources—bigger blast radius.
Confidentiality (C:L)
Some sensitive info could get out, but not a total data dump.
Integrity (I:N)
Data isn’t meaningfully altered or forged.
Availability (A:N)
Service keeps running; no real outage angle.

Identifiers

CWEs

CWE id Name
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor
CWE-441 Unintended Proxy or Intermediary ('Confused Deputy')
CWE-913 Improper Control of Dynamically-Managed Code Resources

Credits

  • leahneukirchen (analyst)
  • jeremyevans (remediation_reviewer)
  • matthewd (analyst)
  • ioquatix (remediation_developer)

Affected packages (3)

Vulnerable version ranges and first patched releases as published by GitHub.

Ecosystem Package Vulnerable range First patched Vulnerable functions
rubygems rack < 2.2.20 2.2.20
rubygems rack >= 3.0, < 3.1.18 3.1.18
rubygems rack >= 3.2, < 3.2.3 3.2.3

References

cvelogic Threat Intelligence