CVE-2026-25500
Description
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, `Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index contains an anchor whose `href` is exactly `javascript:alert(1)`. Clicking the entry executes JavaScript in the browser (demonstrated with `alert(1)`). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.
Predictions
Heuristic predictions, AS-IS, for prioritization only.
Mitigations
No mitigations published for this CVE yet.
The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or โ if you've already worked around this in production โ publish your fix to the community-verified tier.
โ Propose a mitigation on Community โ Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here withsource_tier=community-verified.
OS impact
SUSE Affected 1 release
| Version | Status | Fixed in |
|---|---|---|
| โ | Affected | โ |
Debian Fixed 5 releases
| Version | Status | Fixed in |
|---|---|---|
| trixie | Fixed | 3.1.20-0+deb13u1 |
| sid | Fixed | 3.2.5-1 |
| forky | Fixed | 3.2.5-1 |
| bullseye | Fixed | 2.1.4-3+deb11u5 |
| bookworm | Fixed | 2.2.22-0+deb12u1 |
References
- https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp
- https://www.suse.com/security/cve/CVE-2026-25500.html
- https://nvd.nist.gov/vuln/detail/CVE-2026-25500
- https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff
- https://github.com/rack/rack
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500.yml
- https://security-tracker.debian.org/tracker/CVE-2026-25500
Community-verified mitigations for this CVE will appear above when contributors publish them.
Verify integrity in audit chain (admin only). AS-IS.