Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 0ea000e1c0e7 · 2026-04-02T18:46:20.000Z
GHSA-h2jq-g4cq-5ppq GHSA-q4qf-9j86-f5mh
diff --git a/advisories/github-reviewed/2026/04/GHSA-h2jq-g4cq-5ppq/GHSA-h2jq-g4cq-5ppq.json b/advisories/github-reviewed/2026/04/GHSA-h2jq-g4cq-5ppq/GHSA-h2jq-g4cq-5ppq.json
@@ -0,0 +1,100 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h2jq-g4cq-5ppq",
+  "modified": "2026-04-02T18:44:25Z",
+  "published": "2026-04-02T18:44:25Z",
+  "aliases": [
+    "CVE-2026-34785"
+  ],
+  "summary": "Rack::Static prefix matching can expose unintended files under the static root",
+  "details": "## Summary\n\n`Rack::Static` determines whether a request should be served as a static file using a simple string prefix check. When configured with URL prefixes such as `\"/css\"`, it matches any request path that begins with that string, including unrelated paths such as `\"/css-config.env\"` or `\"/css-backup.sql\"`.\n\nAs a result, files under the static root whose names merely share the configured prefix may be served unintentionally, leading to information disclosure.\n\n## Details\n\n`Rack::Static#route_file` performs static-route matching using logic equivalent to:\n\n```ruby\n@urls.any? { |url| path.index(url) == 0 }\n```\n\nThis checks only whether the request path starts with the configured prefix string. It does not require a path segment boundary after the prefix.\n\nFor example, with:\n\n```ruby\nuse Rack::Static, urls: [\"/css\", \"/js\"], root: \"public\"\n```\n\nthe following path is matched as intended:\n\n```text\n/css/style.css\n```\n\nbut these paths are also matched:\n\n```text\n/css-config.env\n/css-backup.sql\n/csssecrets.yml\n```\n\nIf such files exist under the configured static root, Rack forwards the request to the file server and serves them as static content.\n\nThis means a configuration intended to expose only directory trees such as `/css/...` and `/js/...` may also expose sibling files whose names begin with those same strings.\n\n## Impact\n\nAn attacker can request files under the configured static root whose names share a configured URL prefix and obtain their contents.\n\nIn affected deployments, this may expose configuration files, secrets, backups, environment files, or other unintended static content located under the same root directory.\n\n## Mitigation\n\n* Update to a patched version of Rack that enforces a path boundary when matching configured static URL prefixes.\n* Match only paths that are either exactly equal to the configured prefix or begin with `prefix + \"/\"`.\n* Avoid placing sensitive files under the `Rack::Static` root directory.\n* Prefer static URL mappings that cannot overlap with sensitive filenames.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.23"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0.beta1"
+            },
+            {
+              "fixed": "3.1.21"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.2.0"
+            },
+            {
+              "fixed": "3.2.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rack/rack/security/advisories/GHSA-h2jq-g4cq-5ppq"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34785"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rack/rack"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-187",
+      "CWE-200"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-02T18:44:25Z",
+    "nvd_published_at": "2026-04-02T17:16:24Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-q4qf-9j86-f5mh/GHSA-q4qf-9j86-f5mh.json b/advisories/github-reviewed/2026/04/GHSA-q4qf-9j86-f5mh/GHSA-q4qf-9j86-f5mh.json
@@ -0,0 +1,99 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q4qf-9j86-f5mh",
+  "modified": "2026-04-02T18:44:49Z",
+  "published": "2026-04-02T18:44:49Z",
+  "aliases": [
+    "CVE-2026-34786"
+  ],
+  "summary": "Rack:: Static header_rules bypass via URL-encoded paths",
+  "details": "## Summary\n\n`Rack::Static#applicable_rules` evaluates several `header_rules` types against the raw URL-encoded `PATH_INFO`, while the underlying file-serving path is decoded before the file is served. As a result, a request for a URL-encoded variant of a static path can serve the same file without the headers that `header_rules` were intended to apply.\n\nIn deployments that rely on `Rack::Static` to attach security-relevant response headers to static content, this can allow an attacker to bypass those headers by requesting an encoded form of the path.\n\n## Details\n\n`Rack::Static#applicable_rules` matches rule types such as `:fonts`, `Array`, and `Regexp` directly against the incoming `PATH_INFO`. For example:\n\n```ruby\nwhen :fonts\n  /\\.(?:ttf|otf|eot|woff2|woff|svg)\\z/.match?(path)\nwhen Array\n  /\\.(#{rule.join('|')})\\z/.match?(path)\nwhen Regexp\n  rule.match?(path)\n```\n\nThese checks operate on the raw request path. If the request contains encoded characters such as `%2E` in place of `.`, the rule may fail to match even though the file path is later decoded and served successfully by the static file server.\n\nFor example, both of the following requests may resolve to the same file on disk:\n\n```text\n/fonts/test.woff\n/fonts/test%2Ewoff\n```\n\nbut only the unencoded form may receive the headers configured through `header_rules`.\n\nThis creates a canonicalization mismatch between the path used for header policy decisions and the path ultimately used for file serving.\n\n## Impact\n\nApplications that rely on `Rack::Static` `header_rules` to apply security-relevant headers to static files may be affected.\n\nIn affected deployments, an attacker can request an encoded variant of a static file path and receive the same file without the intended headers. Depending on how `header_rules` are used, this may bypass protections such as clickjacking defenses, content restrictions, or other response policies applied to static content.\n\nThe practical impact depends on the configured rules and the types of files being served. If `header_rules` are only used for non-security purposes such as caching, the issue may have limited security significance.\n\n## Mitigation\n\n* Update to a patched version of Rack that applies `header_rules` to a decoded path consistently with static file resolution.\n* Do not rely solely on `Rack::Static` `header_rules` for security-critical headers where encoded path variants may reach the application.\n* Prefer setting security headers at the reverse proxy or web server layer so they apply consistently to both encoded and unencoded path forms.\n* Normalize or reject encoded path variants for static content at the edge, where feasible.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.23"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0.beta1"
+            },
+            {
+              "fixed": "3.1.21"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "rack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.2.0"
+            },
+            {
+              "fixed": "3.2.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rack/rack/security/advisories/GHSA-q4qf-9j86-f5mh"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34786"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rack/rack"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-180"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-02T18:44:49Z",
+    "nvd_published_at": "2026-04-02T17:16:25Z"
+  }
+}
