CVE-2025-27610: Local File Inclusion in Rack::Static
(updated )
Rack::Static can serve files under the specified root: even if urls: are provided, which may expose other files under the specified root: unexpectedly.
References
- github.com/advisories/GHSA-7wqh-767x-r66v
- github.com/rack/rack
- github.com/rack/rack/commit/50caab74fa01ee8f5dbdee7bb2782126d20c6583
- github.com/rack/rack/security/advisories/GHSA-7wqh-767x-r66v
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-27610.yml
- nvd.nist.gov/vuln/detail/CVE-2025-27610
Code Behaviors & Features
Detect and mitigate CVE-2025-27610 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →