CVE-2025-27610

Rack::Static, a component of the Rack Ruby web server interface, is affected by CVE-2025-27610, a path traversal vulnerability (CWE-23) present in versions prior to 2.2.13, 3.0.14, and 3.1.12. The issue arises because Rack::Static fails to properly sanitize user-supplied paths when serving files, particularly allowing encoded path traversal sequences to bypass validation. As a result, even when specific `urls:` are configured, the middleware can serve arbitrary files under the configured `root:` directory, potentially exposing sensitive data unintentionally.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting requests with encoded traversal sequences and guessing or knowing target file paths under the `root:` directory, attackers can read any accessible file in that directory, leading to high confidentiality impact such as leakage of configuration files, source code, or other private data.

Advisories and the patch commit recommend upgrading to Rack versions 2.2.13, 3.0.14, or 3.1.12, which address the sanitization flaw. Additional mitigations include avoiding Rack::Static altogether, configuring `root:` to point exclusively to directories with public files only, or fronting the application with a CDN or dedicated static file server, which would likely block traversal attempts. Relevant advisories appear in the Rack GitHub security page, patch commit, and Debian LTS announcements.