Rack

In early 2025, security researchers discovered a critical path traversal vulnerability (CVE-2025-27610) in the Rack::Static middleware, a core component used by most Ruby web frameworks to serve static files. When applications omit a properly configured 'root:' option, attackers can craft specially formed URLs to escape the designated public directory and retrieve arbitrary files. This flaw can expose configuration files, database credentials, private keys, certificates and other sensitive assets stored on the server. With access to these secrets, adversaries can compromise backend databases, gain unauthorized administrative access, move laterally within networks, and exfiltrate proprietary or personal data. The breach potential extends across any application using vulnerable Rack versions, including Rails, Sinatra, Hanami and Roda deployments in e-commerce, fintech, healthcare and enterprise services. Organizations affected by this vulnerability face severe confidentiality breaches, business disruption, regulatory fines, customer trust erosion and long-term reputational damage. Given Rack’s ubiquity and over one billion global downloads, the impact of this vulnerability is widespread and high-risk for any unpatched Ruby environment.

Source: https://www.helpnetsecurity.com/2025/04/25/rack-ruby-vulnerability-could-reveal-secrets-to-attackers-cve-2025-27610/

"id": "atl838042725",
"linkid": "atlantic-rack",
"type": "Vulnerability",
"date": "4/2025",
"severity": "60",
"impact": "3",
"explanation": "Attack with significant impact with internal employee data leaks"