DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

CVE-2026-34785: CVE-2026-34785: Information Disclosure via Partial String Comparison in Rack::Static

#security #cve #cybersecurity

CVE-2026-34785: Information Disclosure via Partial String Comparison in Rack::Static

Vulnerability ID: CVE-2026-34785
CVSS Score: 7.5
Published: 2026-04-02

Rack, a foundational Ruby web server interface, suffers from an information disclosure vulnerability in its Rack::Static middleware prior to versions 2.2.23, 3.1.21, and 3.2.6. The vulnerability arises from an insecure partial string comparison logic flaw in the URL routing mechanism, allowing attackers to access sensitive files that inadvertently share a common prefix with configured static asset directories.

TL;DR

A partial string matching flaw in Rack::Static allows unauthenticated attackers to retrieve unintended files sharing a text prefix with static directories. Updating to patched versions resolves the issue.

⚠️ Exploit Status: POC

Technical Details

  • CWE ID: CWE-187 (Partial String Comparison)
  • Attack Vector: Network
  • CVSS Score: 7.5 (High)
  • Impact: Confidentiality (High)
  • Exploit Status: Proof of Concept
  • CISA KEV: No

Affected Systems

  • Ruby applications using the Rack library (< 2.2.23, 3.0.0.beta1 - 3.1.20, 3.2.0 - 3.2.5)
  • Applications utilizing Rack::Static for asset serving
  • Rack: < 2.2.23 (Fixed in: 2.2.23)
  • Rack: >= 3.0.0.beta1, < 3.1.21 (Fixed in: 3.1.21)
  • Rack: >= 3.2.0, < 3.2.6 (Fixed in: 3.2.6)

Code Analysis

Commit: 7a8f326

Fix root prefix bug in Rack::Static

@@ -93,6 +93,9 @@ class Static
     def initialize(app, options = {})
       @app = app
       @urls = options[:urls] || ["/favicon.ico"]
+      if @urls.kind_of?(Array)
+        @urls = @urls.map { |url| [url, url.end_with?('/') ? url : "#{url}/".freeze].freeze }.freeze
+      end
       @index = options[:index]
       @gzip = options[:gzip]
       @cascade = options[:cascade]
@@ -115,7 +118,7 @@ def overwrite_file_path(path)
     end

     def route_file(path)
-      @urls.kind_of?(Array) && @urls.any? { |url| path.index(url) == 0 }
+      @urls.kind_of?(Array) && @urls.any? { |url, url_slash| path == url || path.start_with?(url_slash) }
     end
Enter fullscreen mode Exit fullscreen mode

Mitigation Strategies

  • Update Rack dependency to a patched version (2.2.23, 3.1.21, or 3.2.6).
  • Append trailing slashes to all URL prefixes in the Rack::Static configuration.
  • Segregate static asset directories strictly from sensitive deployment artifacts or configuration files.

Remediation Steps:

  1. Identify all projects utilizing the rack gem and check the current version.
  2. Update the Gemfile to require rack >= 2.2.23, >= 3.1.21, or >= 3.2.6 depending on the current major version.
  3. Run bundle update rack to fetch the patched version.
  4. If patching is impossible, modify config.ru or middleware initialization to append / to all strings in the :urls array.
  5. Audit the static :root directory for mistakenly placed sensitive files (e.g., .env, .sql, .bak) and remove them.

References

Read the full report for CVE-2026-34785 on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)