CVE-2026-34763 Overview
CVE-2026-34763 is an information disclosure vulnerability in Rack, the modular Ruby web server interface. The vulnerability exists in the Rack::Directory component, which improperly interpolates the configured root path directly into a regular expression when deriving the displayed directory path. When the root path contains regex metacharacters such as +, *, or ., the prefix stripping mechanism can fail, causing the generated directory listing to expose the full filesystem path in the HTML output.
Critical Impact
Attackers can leverage this vulnerability to discover sensitive filesystem paths in deployed Ruby web applications, potentially revealing internal directory structures, deployment paths, and server configurations that could facilitate further attacks.
Affected Products
- Rack versions prior to 2.2.23
- Rack versions prior to 3.1.21
- Rack versions prior to 3.2.6
Discovery Timeline
- 2026-04-02 - CVE CVE-2026-34763 published to NVD
- 2026-04-02 - Last updated in NVD database
Technical Details for CVE-2026-34763
Vulnerability Analysis
This vulnerability falls under CWE-625: Permissive Regular Expression. The core issue stems from how Rack::Directory processes the configured root path when generating directory listings for end users.
When a developer configures Rack::Directory with a root path that contains characters with special meaning in regular expressions (metacharacters), the component fails to properly escape these characters before using them in pattern matching operations. This design flaw causes the regex-based prefix stripping to malfunction.
The practical impact is that when the prefix stripping fails, the full internal filesystem path is exposed in the HTML output rendered to users. This information leakage can reveal sensitive details about the server's directory structure, deployment paths, and potentially usernames or application names embedded in file paths.
Root Cause
The root cause is the direct interpolation of user-configurable root paths into regular expressions without proper escaping. The Rack::Directory component constructs a regex pattern to strip the root path prefix from directory listings, but fails to escape regex metacharacters (+, *, ., ?, [, ], (, ), {, }, |, ^, $, \) present in the path string.
For example, if the root path is configured as /var/www/app+v2/public, the + character is interpreted as a regex quantifier meaning "one or more of the preceding character" rather than a literal plus sign. This causes the pattern match to fail unexpectedly, preventing proper path prefix removal.
Attack Vector
The attack vector is network-based and requires no authentication or user interaction. An attacker simply needs to access the directory listing functionality of a vulnerable Rack application where the root path contains regex metacharacters.
The vulnerability is exploited passively - the attacker does not need to craft a special payload. Simply requesting a directory listing from an application with a misconfigured root path will expose the full filesystem path in the response. This information disclosure can be leveraged for reconnaissance, potentially revealing:
- Internal server paths and directory structures
- Application deployment locations
- Username or organization names in paths
- Environment indicators (development, staging, production)
Detection Methods for CVE-2026-34763
Indicators of Compromise
- HTTP responses from directory listing endpoints containing unexpected full filesystem paths
- Directory listing HTML output showing paths like /home/username/apps/... or /var/www/production+v2/... instead of relative paths
- Error logs indicating regex pattern matching failures in Rack::Directory operations
Detection Strategies
- Review Rack application configurations for Rack::Directory usage with root paths containing regex metacharacters (+, *, ., ?, [, ], etc.)
- Implement web application firewall rules to detect and alert on responses containing common filesystem path patterns
- Conduct security audits of Ruby web applications to identify exposed directory listing endpoints
Monitoring Recommendations
- Monitor HTTP responses for filesystem path disclosure patterns in directory listing pages
- Set up alerts for error conditions in Rack middleware components
- Regularly audit application configurations for sensitive path exposure risks
How to Mitigate CVE-2026-34763
Immediate Actions Required
- Upgrade Rack to patched versions: 2.2.23, 3.1.21, or 3.2.6 depending on your current version branch
- Review and audit any Rack::Directory configurations for root paths containing regex metacharacters
- Consider temporarily disabling directory listing functionality until patches can be applied
Patch Information
The vulnerability has been patched in Rack versions 2.2.23, 3.1.21, and 3.2.6. The fix properly escapes regex metacharacters in the root path before using it in pattern matching operations. Organizations should update to the appropriate patched version based on their current Rack version branch.
For additional details, refer to the GitHub Security Advisory.
Workarounds
- Avoid using root paths containing regex metacharacters (+, *, ., ?, [, ], (, ), {, }, |, ^, $, \) in Rack::Directory configurations
- Implement a reverse proxy or web server in front of the Rack application to handle static file serving instead of using Rack::Directory
- If directory listing must be used, manually escape special characters in the configured root path or use symlinks to create paths without metacharacters
# Example: Update Rack gem to patched version
bundle update rack --conservative
# Or specify exact version in Gemfile
# gem 'rack', '>= 3.2.6' # For Rack 3.2.x users
# gem 'rack', '>= 3.1.21' # For Rack 3.1.x users
# gem 'rack', '>= 2.2.23' # For Rack 2.2.x users
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
