CVE-2025-27610
Published: 10 March 2025
Summary
CVE-2025-27610 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-10 (Information Input Validation).
Deeper analysis
Rack is a Ruby interface for building web applications, and the vulnerability in CVE-2025-27610 affects the Rack::Static component in versions prior to 2.2.13, 3.0.14, and 3.1.12. The flaw stems from improper sanitization of user-supplied paths, allowing encoded traversal sequences to bypass restrictions even when specific urls: are configured, so that any file under the designated root: directory can be retrieved.
An unauthenticated remote attacker can exploit the issue over the network by crafting requests containing path traversal sequences to read arbitrary files under root:, provided the attacker can guess or determine target paths, resulting in disclosure of sensitive data with no impact on integrity or availability.
Advisories and patches recommend upgrading to the fixed releases, removing Rack::Static usage entirely, configuring root: to contain only publicly intended files, or placing a CDN or dedicated static file server in front of the application to limit exposure. The associated EPSS scores remain low with only a minor peak, indicating limited observed exploitation interest to date.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-7800
Vulnerability details
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.…
more
The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Other mitigations include removing usage of `Rack::Static`, or ensuring that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Rack web server middleware directly enables remote exploitation of public-facing applications (T1190) and unauthorized reading of local system files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
SI-10 requires information input validation at entry points, directly addressing Rack::Static's failure to sanitize user-supplied paths and encoded traversal sequences.
SI-2 mandates identification, reporting, and correction of flaws like the path traversal vulnerability, enabling timely patching to versions 2.2.13, 3.0.14, or 3.1.12.
AC-22 ensures publicly accessible content from components like Rack::Static is restricted to authorized files only, mitigating exposure of unintended files under the root directory.