CVE-2025-61780: Rack has a Possible Information Disclosure Vulnerability
(updated )
A possible information disclosure vulnerability existed in Rack::Sendfile when running behind a proxy that supports x-sendfile headers (such as Nginx). Specially crafted headers could cause Rack::Sendfile to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions.
References
- github.com/advisories/GHSA-r657-rxjc-j557
- github.com/rack/rack
- github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
- github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
- github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85
- github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
- github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2025-61780.yml
- nvd.nist.gov/vuln/detail/CVE-2025-61780
Code Behaviors & Features
Detect and mitigate CVE-2025-61780 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →