Apr 2, 2026·4 min read·42 visits
Rack::Static evaluates security header rules against raw URL paths before decoding them. Requesting an encoded file extension (e.g., %2ejs) bypasses header rules (like CSP) while still serving the requested file.
A canonicalization vulnerability in the Rack Ruby gem's Rack::Static middleware allows attackers to bypass security header rules. By supplying URL-encoded paths, an attacker can evade pattern-matching logic while still retrieving the targeted static files.
Rack middleware uses Rack::Static to serve static files and apply security headers based on path patterns. The middleware evaluates these rules against the raw, unescaped PATH_INFO string extracted from the HTTP request.
A discrepancy exists because the underlying file-serving logic, typically handled by Rack::File, URI-decodes the path before accessing the filesystem. This canonicalization mismatch allows an attacker to manipulate the request path with URL encoding to evade the initial checks.
The flaw is tracked as CWE-180 (Incorrect Behavior Order: Validate Before Canonicalize). By encoding characters critical to pattern matching, such as replacing a file extension dot with %2E, an attacker bypasses the header rules but still retrieves the intended file.
The vulnerability originates in the Rack::Static#applicable_rules method located in lib/rack/static.rb. This method iterates through configured matching rules, including arrays of file extensions, strings, and regular expressions, to determine which HTTP headers apply to a given request.
During the evaluation phase, the path variable strictly contains the raw PATH_INFO value. If a developer defines a rule applying a Content-Security-Policy header to all .js files, the regex generated by the middleware literalizes the dot character.
When a request specifies an encoded extension like %2ejs, the exact string match fails against the regex expecting .js. The rules engine concludes no headers are required, while the subsequent file-serving layer decodes the path and successfully locates the file on disk.
The vulnerable implementation processes the raw path directly within the rule evaluation block. The regular expression dynamically created from array inputs expects literal dot characters preceding the file extension, leading to the mismatch when URL encoding is used.
def applicable_rules(path)
@header_rules.find_all do |rule, new_headers|
case rule
# ...
when Array
/\.(#{rule.join('|')})\z/.match?(path)
end
end
endThe patch addresses this by enforcing canonicalization prior to validation. The path variable is explicitly decoded using ::Rack::Utils.unescape_path(path) before any rule matching occurs.
def applicable_rules(path)
# Fix: Decode the path once before matching
path = ::Rack::Utils.unescape_path(path)
@header_rules.find_all do |rule, new_headers|
case rule
# ...
when Array
# Fix: Safely construct regex with union
/\.#{Regexp.union(rule)}\z/.match?(path)
end
end
endExploitation requires a target application utilizing Rack::Static to serve files while enforcing security rules based on file extensions or paths. The attacker must understand the applied rules and the location of the static assets.
The attacker crafts an HTTP request where the file extension separator is URL-encoded. For example, instead of requesting /js/app.js, the attacker requests /js/app%2ejs.
The middleware processes /js/app%2ejs, failing to match the js header rule. The file server then decodes the path to /js/app.js and serves the file, bypassing the security controls.
The immediate impact is the circumvention of intended security policies applied to static files. This primarily affects defensive headers such as Content-Security-Policy (CSP), X-Frame-Options, and Cache-Control.
Bypassing CSP on JavaScript or HTML files facilitates Cross-Site Scripting (XSS) if the served files process untrusted input. The lack of X-Frame-Options exposes the application to UI redressing and Clickjacking attacks.
The vulnerability carries a CVSS v3.1 score of 5.3 (Medium), reflecting the requirement for chaining with other flaws to achieve direct compromise. The confidentiality, integrity, and availability of the underlying server infrastructure remain unaffected.
Upgrading the Rack gem is the primary and complete remediation for this vulnerability. Administrators must update deployments to versions 2.2.23, 3.1.21, or 3.2.6.
If an immediate upgrade is unfeasible, administrators can deploy defensive configuration rules at the reverse proxy or web server layer. Configuring Nginx or Apache to reject requests containing URL-encoded dots (%2E or %2e) in static asset paths mitigates the bypass.
After applying the patch, security teams should verify the fix by requesting statically served files using encoded extensions. A successful remediation will apply the configured security headers uniformly across standard and encoded path requests.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N| Product | Affected Versions | Fixed Version |
|---|---|---|
Rack (Ruby Gem) Rack | < 2.2.23 | 2.2.23 |
Rack (Ruby Gem) Rack | >= 3.0.0.beta1, < 3.1.21 | 3.1.21 |
Rack (Ruby Gem) Rack | >= 3.2.0, < 3.2.6 | 3.2.6 |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-180 |
| CVSS Score | 5.3 |
| Attack Vector | Network |
| Impact | Security Header Bypass |
| Exploit Status | None |
| CISA KEV | False |
Incorrect Behavior Order: Validate Before Canonicalize
A property shadowing vulnerability exists in protobufjs where schema-derived names can collide with and overwrite runtime-critical internal helper properties. This issue leads to uncaught runtime exceptions and crash-based Denial of Service.
An integer truncation vulnerability (CWE-197) exists in SQLite before version 3.50.2 during the processing of aggregate queries with more than 32,767 distinct column references. This causes an internal 32-bit counter to truncate to a signed 16-bit integer, producing negative values that cause out-of-bounds heap operations in release builds.
An integer overflow vulnerability in the Windows kernel-mode HTTP driver (HTTP.sys) allows an unauthenticated remote attacker to execute arbitrary code with kernel privileges or cause a Denial of Service via a specially crafted sequence of HTTP request headers.
A memory corruption vulnerability exists in the FTS5 (Full-Text Search 5) extension of SQLite prior to version 3.53.2. An attacker can construct a malicious database file containing corrupt FTS5 page data. Querying this database triggers out-of-bounds reads and heap-based buffer overflows, potentially causing a crash or arbitrary code execution.
A mass assignment vulnerability (CWE-915) in n8n's self-service settings API endpoint (PATCH /me/settings) allows authenticated Single Sign-On (SSO) users to disable SSO enforcement for their accounts by injecting administrative parameters. This bypasses organizational identity provider controls and multi-factor authentication (MFA).
CVE-2026-55699 (also identified as GHSA-4gxm-v5v7-fqc4) is a critical path traversal and arbitrary directory deletion vulnerability in the pnpm package manager. The issue exists because the manifest validation process fails to prevent relative path segments within the package 'bin' keys. When a malicious package containing structured path traversal markers is globally installed and later manipulated, pnpm resolves the target paths through path.join() and passes the resolved paths to a recursive deletion function, resulting in arbitrary directory removal.