Source: ruby-rack Version: 3.1.16-0.1 Severity: grave Tags: security upstream Justification: user security hole X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]> Control: found -1 2.2.13-1~deb12u1
Hi, The following vulnerability was published for ruby-rack. CVE-2025-61780[0]: | Rack is a modular Ruby web server interface. Prior to versions | 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure | vulnerability existed in `Rack::Sendfile` when running behind a | proxy that supports `x-sendfile` headers (such as Nginx). Specially | crafted headers could cause `Rack::Sendfile` to miscommunicate with | the proxy and trigger unintended internal requests, potentially | bypassing proxy-level access restrictions. When `Rack::Sendfile` | received untrusted `x-sendfile-type` or `x-accel-mapping` headers | from a client, it would interpret them as proxy configuration | directives. This could cause the middleware to send a "redirect" | response to the proxy, prompting it to reissue a new internal | request that was not subject to the proxy's access controls. An | attacker could exploit this by setting a crafted `x-sendfile-type: | x-accel-redirect` header, setting a crafted `x-accel-mapping` | header, and requesting a path that qualifies for proxy-based | acceleration. Attackers could bypass proxy-enforced restrictions and | access internal endpoints intended to be protected (such as | administrative pages). The vulnerability did not allow arbitrary | file reads but could expose sensitive application routes. This issue | only affected systems meeting all of the following conditions: The | application used `Rack::Sendfile` with a proxy that supports | `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set | or remove the `x-sendfile-type` and `x-accel-mapping` headers; and | the application exposed an endpoint that returned a body responding | to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18, | or 3.2.3, which require explicit configuration to enable `x-accel- | redirect`. Alternatively, configure the proxy to always set or strip | the header, or in Rails applications, disable sendfile completely. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-61780 https://www.cve.org/CVERecord?id=CVE-2025-61780 [1] https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557 [2] https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784 [3] https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a [4] https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85 Regards, Salvatore
