Home/Product/rack
Product

rack

51 known vulnerabilities across versions
Vulnerabilities are listed by affected version. Select any CVE for the full briefing and its intelligence graph.
CVE-2026-39324
>= 2.0.0 and < 2.1.2
Rack::Session is a session management implementation for Rack. From 2.0.0 to before 2.1.2, Rack::Session::Cookie incorrectly handl
9.8CRITICAL
 CVE-2026-34835
>= 3.0.0 and < 3.1.21
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Request
4.8MEDIUM
 CVE-2026-34827
>= 3.0.0 and < 3.1.21
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21, and 3.2.0 to before 3.2.6, Rack::Multipar
7.5HIGH
 CVE-2026-32762
>= 3.0.0 and < 3.1.21
Rack is a modular Ruby web server interface. From versions 3.0.0.beta1 to before 3.1.21 and 3.2.0 to before 3.2.6, Rack::Utils.for
4.8MEDIUM
 CVE-2026-26962
>= 3.2.0 and < 3.2.6
Rack is a modular Ruby web server interface. From version 3.2.0 to before version 3.2.6, Rack::Multipart::Parser unfolds folded mu
4.8MEDIUM
 CVE-2026-34831
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Files#fail sets the Content-Length
4.8MEDIUM
 CVE-2026-34830
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolat
5.9MEDIUM
 CVE-2026-34829
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser only wraps the r
7.5HIGH
 CVE-2026-34826
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.get_byte_ranges parses the H
5.3MEDIUM
 CVE-2026-34786
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static#applicable_rules evaluates
5.3MEDIUM
 CVE-2026-34785
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Static determines whether a reques
7.5HIGH
 CVE-2026-34763
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Directory interpolates the configu
5.3MEDIUM
 CVE-2026-34230
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Utils.select_best_encoding process
5.3MEDIUM
 CVE-2026-26961
< 2.2.23
Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Multipart::Parser extracts the bou
3.7LOW
 CVE-2026-25500
< 2.2.22
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML dire
5.4MEDIUM
 CVE-2026-22860
< 2.2.22
Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory’s path check used a
7.5HIGH
 CVE-2025-61919
< 2.2.20
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, Rack::Request#POST reads the entire re
7.5HIGH
 CVE-2025-61780
< 2.2.20
Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulner
5.8MEDIUM
 CVE-2025-61772
< 2.2.19
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser can accumul
7.5HIGH
 CVE-2025-61771
< 2.2.19
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, `Rack::Multipart::Parser stores non
7.5HIGH
 CVE-2025-61770
< 2.2.19
Rack is a modular Ruby web server interface. In versions prior to 2.2.19, 3.1.17, and 3.2.2, Rack::Multipart::Parser buffers the
7.5HIGH
 CVE-2025-59830
< 2.2.18
Rack is a modular Ruby web server interface. Prior to version 2.2.18, Rack::QueryParser enforces its params_limit only for paramet
7.5HIGH
 CVE-2025-49007
>= 3.1.0 and < 3.1.16
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.16, there is a denial of service v
5.3MEDIUM
 CVE-2025-46727
< 2.2.14
Rack is a modular Ruby web server interface. Prior to versions 2.2.14, 3.0.16, and 3.1.14, Rack::QueryParser parses query string
7.5HIGH
 CVE-2025-32441
< 2.2.14
Rack is a modular Ruby web server interface. Prior to version 2.2.14, when using the Rack::Session::Pool middleware, simultaneou
4.2MEDIUM
 CVE-2025-27610
< 2.2.13
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.13, 3.0.14, and 3.1.12, Rack::Static c
7.5HIGH
 CVE-2025-27111
< 2.2.12
Rack is a modular Ruby web server interface. The Rack::Sendfile middleware logs unsanitised header values from the X-Sendfile-Type
7.5HIGH
 CVE-2025-25184
< 2.2.11
Rack provides an interface for developing web applications in Ruby. Prior to versions 2.2.11, 3.0.12, and 3.1.10, Rack::CommonLogg
6.5MEDIUM
 CVE-2023-27539
>= 2.0.0 and < 2.2.6.4
There is a denial of service vulnerability in the header parsing component of Rack.
5.3MEDIUM
 CVE-2024-39316
>= 3.1.0 and < 3.1.5
Rack is a modular Ruby web server interface. Starting in version 3.1.0 and prior to version 3.1.5, Regular Expression Denial of Se
6.5MEDIUM
 CVE-2024-26146
>= 0.4 and < 2.0.9.4
Rack is a modular Ruby web server interface. Carefully crafted headers can cause header parsing in Rack to take longer than expect
5.3MEDIUM
 CVE-2024-26141
>= 1.3.0 and < 2.2.8.1
Rack is a modular Ruby web server interface. Carefully crafted Range headers can cause a server to respond with an unexpectedly la
5.8MEDIUM
 CVE-2024-25126
>= 0.4 and < 2.2.8.1
Rack is a modular Ruby web server interface. Carefully crafted content type headers can cause Rack’s media type parser to take m
5.3MEDIUM
 CVE-2023-27530
< 2.0.9.3
A DoS vulnerability exists in Rack <v3.0.4.2, <v2.2.6.3, <v2.1.4.3 and <v2.0.9.3 within in the Multipart MIME parsing code in whic
7.5HIGH
 CVE-2022-44572
< 2.0.9.2
A denial of service vulnerability in the multipart parsing component of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1 and 3.0.0.1 could
7.5HIGH
 CVE-2022-44571
>= 2.0.0 and < 2.0.9.2
There is a denial of service vulnerability in the Content-Disposition parsingcomponent of Rack fixed in 2.0.9.2, 2.1.4.2, 2.2.4.1,
7.5HIGH
 CVE-2022-44570
>= 1.5.0 and < 2.0.9.2
A denial of service vulnerability in the Range header parsing component of Rack >= 1.5.0. A Carefully crafted input can cause the
7.5HIGH
 CVE-2022-30123
< 2.0.9.1
A sequence injection vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 which could allow is a possible shell escape in
10.0CRITICAL
 CVE-2022-30122
>= 1.2 and < 2.0.9.1
A possible denial of service vulnerability exists in Rack <2.0.9.1, <2.1.4.1 and <2.2.3.1 in the multipart parsing component of Ra
7.5HIGH
 CVE-2020-8161
< 2.2.0
A directory traversal vulnerability exists in rack < 2.2.0 that allows an attacker perform directory traversal vulnerability in th
8.6HIGH
 CVE-2020-8184
< 2.1.4
A reliance on cookies without validation/integrity check security vulnerability exists in rack < 2.2.3, rack < 2.1.4 that makes it
7.5HIGH
 CVE-2019-16782
< 1.6.12
There's a possible information leak / session hijack vulnerability in Rack (RubyGem rack). This vulnerability is patched in versio
6.3MEDIUM
 CVE-2018-16471
>= 1.6.0 and < 1.6.11
There is a possible XSS vulnerability in Rack before 2.0.6 and 1.6.11. Carefully crafted requests can impact the data returned by
6.1MEDIUM
 CVE-2018-16470
all versions
There is a possible DoS vulnerability in the multipart parser in Rack before 2.0.6. Specially crafted requests can cause the multi
7.5HIGH
 CVE-2015-3225
<= 1.5.3
lib/rack/utils.rb in Rack before 1.5.4 and 1.6.x before 1.6.2, as used with Ruby on Rails 3.x and 4.x and other products, allows r
 CVE-2013-0184
all versions
Unspecified vulnerability in Rack::Auth::AbstractRequest in Rack 1.1.x before 1.1.5, 1.2.x before 1.2.7, 1.3.x before 1.3.9, and 1
 CVE-2013-0183
all versions
multipart/parser.rb in Rack 1.3.x before 1.3.8 and 1.4.x before 1.4.3 allows remote attackers to cause a denial of service (memory
 CVE-2012-6109
<= 1.1.3
lib/rack/multipart.rb in Rack before 1.1.4, 1.2.x before 1.2.6, 1.3.x before 1.3.7, and 1.4.x before 1.4.2 uses an incorrect regul
 CVE-2013-0263
all versions
Rack::Session::Cookie in Rack 1.5.x before 1.5.2, 1.4.x before 1.4.5, 1.3.x before 1.3.10, 1.2.x before 1.2.8, and 1.1.x before 1.
 CVE-2013-0262
all versions
rack/file.rb (Rack::File) in Rack 1.5.x before 1.5.2 and 1.4.x before 1.4.5 allows attackers to access arbitrary files outside the
 CVE-2011-5036
<= 1.1.0
Rack before 1.1.3, 1.2.x before 1.2.5, and 1.3.x before 1.3.6 computes hash values for form parameters without restricting the abi
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin