Skip to content

Update dependency rack to v3.1.12 [SECURITY] #66

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
Mar 11, 2025
Merged

Update dependency rack to v3.1.12 [SECURITY] #66

merged 1 commit into from
Mar 11, 2025

Conversation

@renovate
Copy link
Contributor

@renovate renovate bot commented Mar 10, 2025

This PR contains the following updates:

Package Change Age Adoption Passing Confidence
rack (changelog) '3.1.11' -> '3.1.12' age adoption passing confidence

GitHub Vulnerability Alerts

CVE-2025-27610

Summary

Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly.

Details

The vulnerability occurs because Rack::Static does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory.

Impact

By exploiting this vulnerability, an attacker can gain access to all files under the specified root: directory, provided they are able to determine then path of the file.

Mitigation

  • Update to the latest version of Rack, or
  • Remove usage of Rack::Static, or
  • Ensure that root: points at a directory path which only contains files which should be accessed publicly.

It is likely that a CDN or similar static file server would also mitigate the issue.

Release Notes

rack/rack (rack)

v3.1.12

Compare Source

Security

Configuration

📅 Schedule: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

  • If you want to rebase/retry this PR, check this box

This PR was generated by Mend Renovate. View the repository job log.

@renovate
Update dependency rack to v3.1.12 [SECURITY]
efb300f 
Signed-off-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@renovate renovate bot merged commit e33fc07 into master Mar 11, 2025
2 checks passed
@renovate renovate bot deleted the renovate/rubygems-rack-vulnerability branch March 11, 2025 02:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@renovate-approve renovate-approve[bot] renovate-approve[bot] approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant