Cyber Resilience

CVE-2025-27610

High

Published: 10 March 2025

Published
10 March 2025
Modified
03 November 2025
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0135 80.5th percentile
Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27610 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 19.5% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-10 (Information Input Validation).

Deeper analysis

Rack is a Ruby interface for building web applications, and the vulnerability in CVE-2025-27610 affects the Rack::Static component in versions prior to 2.2.13, 3.0.14, and 3.1.12. The flaw stems from improper sanitization of user-supplied paths, allowing encoded traversal sequences to bypass restrictions even when specific urls: are configured, so that any file under the designated root: directory can be retrieved.

An unauthenticated remote attacker can exploit the issue over the network by crafting requests containing path traversal sequences to read arbitrary files under root:, provided the attacker can guess or determine target paths, resulting in disclosure of sensitive data with no impact on integrity or availability.

Advisories and patches recommend upgrading to the fixed releases, removing Rack::Static usage entirely, configuring root: to contain only publicly intended files, or placing a CDN or dedicated static file server in front of the application to limit exposure. The associated EPSS scores remain low with only a minor peak, indicating limited observed exploitation interest to date.

EU & UK References

Vulnerability details

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.…

more

The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Other mitigations include removing usage of `Rack::Static`, or ensuring that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
Why these techniques?

Path traversal in public-facing Rack web server middleware directly enables remote exploitation of public-facing applications (T1190) and unauthorized reading of local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-34830Same product: Rack Rack
CVE-2026-34785Same product: Rack Rack
CVE-2026-34829Same product: Rack Rack
CVE-2026-22860Same product: Rack Rack
CVE-2026-34826Same product: Rack Rack
CVE-2026-34827Same product: Rack Rack
CVE-2026-34230Same product: Rack Rack
CVE-2025-27111Same product: Rack Rack
CVE-2025-2056Shared CWE-23
CVE-2025-55747Shared CWE-23

Affected Assets

rack
rack
≤ 2.2.13 · 3.0.0 — 3.0.14 · 3.1.0 — 3.1.12

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SI-10 requires information input validation at entry points, directly addressing Rack::Static's failure to sanitize user-supplied paths and encoded traversal sequences.

prevent

SI-2 mandates identification, reporting, and correction of flaws like the path traversal vulnerability, enabling timely patching to versions 2.2.13, 3.0.14, or 3.1.12.

prevent

AC-22 ensures publicly accessible content from components like Rack::Static is restricted to authorized files only, mitigating exposure of unintended files under the root directory.

References