CVE-2025-27610

High

Published: 10 March 2025

Published

10 March 2025

Modified

03 November 2025

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0130 79.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-27610 is a high-severity Relative Path Traversal (CWE-23) vulnerability in Rack Rack. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 20.1% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-22 (Publicly Accessible Content) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

SI-10 requires information input validation at entry points, directly addressing Rack::Static's failure to sanitize user-supplied paths and encoded traversal sequences.

SI-2 Flaw Remediation good match

prevent

SI-2 mandates identification, reporting, and correction of flaws like the path traversal vulnerability, enabling timely patching to versions 2.2.13, 3.0.14, or 3.1.12.

AC-22 Publicly Accessible Content good match

prevent

AC-22 ensures publicly accessible content from components like Rack::Static is restricted to authorized files only, mitigating exposure of unintended files under the root directory.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

T1005 Data from Local System Collection

Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.

attack.mitre.org →

Why these techniques?

Path traversal in public-facing Rack web server middleware directly enables remote exploitation of public-facing applications (T1190) and unauthorized reading of local system files (T1005).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, `Rack::Static` can serve files under the specified `root:` even if `urls:` are provided, which may expose other files under the specified `root:` unexpectedly.…

The vulnerability occurs because `Rack::Static` does not properly sanitize user-supplied paths before serving files. Specifically, encoded path traversal sequences are not correctly validated, allowing attackers to access files outside the designated static file directory. By exploiting this vulnerability, an attacker can gain access to all files under the specified `root:` directory, provided they are able to determine then path of the file. Versions 2.2.13, 3.0.14, and 3.1.12 contain a patch for the issue. Other mitigations include removing usage of `Rack::Static`, or ensuring that `root:` points at a directory path which only contains files which should be accessed publicly. It is likely that a CDN or similar static file server would also mitigate the issue.

Deeper analysisAI

Rack::Static, a component of the Rack Ruby web server interface, is affected by CVE-2025-27610, a path traversal vulnerability (CWE-23) present in versions prior to 2.2.13, 3.0.14, and 3.1.12. The issue arises because Rack::Static fails to properly sanitize user-supplied paths when serving files, particularly allowing encoded path traversal sequences to bypass validation. As a result, even when specific `urls:` are configured, the middleware can serve arbitrary files under the configured `root:` directory, potentially exposing sensitive data unintentionally.

Remote, unauthenticated attackers can exploit this vulnerability over the network with low complexity and no user interaction required, as indicated by its CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N). By crafting requests with encoded traversal sequences and guessing or knowing target file paths under the `root:` directory, attackers can read any accessible file in that directory, leading to high confidentiality impact such as leakage of configuration files, source code, or other private data.

Advisories and the patch commit recommend upgrading to Rack versions 2.2.13, 3.0.14, or 3.1.12, which address the sanitization flaw. Additional mitigations include avoiding Rack::Static altogether, configuring `root:` to point exclusively to directories with public files only, or fronting the application with a CDN or dedicated static file server, which would likely block traversal attempts. Relevant advisories appear in the Rack GitHub security page, patch commit, and Debian LTS announcements.

Details

CWE(s): CWE-23

Affected Products

rack

≤ 2.2.13 · 3.0.0 — 3.0.14 · 3.1.0 — 3.1.12

CVEs Like This One

CVE-2026-34830Same product: Rack Rack

CVE-2026-34785Same product: Rack Rack

CVE-2026-34829Same product: Rack Rack

CVE-2026-22860Same product: Rack Rack

CVE-2026-34230Same product: Rack Rack

CVE-2025-27111Same product: Rack Rack

CVE-2026-34826Same product: Rack Rack

CVE-2026-34827Same product: Rack Rack

CVE-2024-56340Shared CWE-23

CVE-2025-20059Shared CWE-23

References

https://github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583
Patch · security-advisories@github.com
https://github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
Mitigation, Vendor Advisory · security-advisories@github.com
https://lists.debian.org/debian-lts-announce/2025/03/msg00016.html
af854a3a-2127-422b-91ae-364da2661108