Rack 1.4 Release Notes

7 versions

Changelog and Release Notes for the NES version of Rack 1.4

Mar 4, 2026

Latest: 1.4.7.28

69 Patched Vulnerabilities

VEX Statements

March 2026

1.4.7.28

Released last Wednesday

CVE-2026-25500

CVE-2026-22860

Bug Fixes

CVE-2026-25500 - XSS injection via malicious filename in Rack::Directory.
CVE-2026-22860 - Directory traversal via root prefix bypass in Rack::Directory.

October 2025

1.4.7.27

Released on Oct 30, 2025

Notes

Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). This change has no security implications.

1.4.7.26

Released on Oct 13, 2025

Bug Fixes

CVE-2025-61919 - Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
CVE-2025-61780 - Improper handling of headers in Rack::Sendfile may allow proxy bypass.
CVE-2025-61772 - Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion).
CVE-2025-61771 - Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion).
CVE-2025-61770 - Unbounded multipart preamble buffering enables DoS (memory exhaustion).

June 2025

1.4.7.24

Released on Jun 17, 2025

CVE-2025-49007

Bug Fixes

CVE-2025-49007 - Denial of service vulnerability in the Content-Disposition parsing component of Rack.

May 2025

1.4.7.23

Released on May 15, 2025

CVE-2025-46727

CVE-2025-32441

Bug Fixes

CVE-2025-46727 - Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.
CVE-2025-32441 - Rack session can be restored after deletion.

March 2025

1.4.7.22

Released on Mar 18, 2025

CVE-2025-27610

CVE-2025-27111

CVE-2025-25184

Bug Fixes

CVE-2025-27610 - Local file inclusion in Rack::Static.
CVE-2025-27111 - Possible Log Injection in Rack::Sendfile.
CVE-2025-25184 - Possible Log Injection in Rack::CommonLogger.

February 2025

1.4.7.19

Released on Feb 10, 2025

7 More

Notes

This is the initial release of Never-Ending Support (NES) for Rack v1.4.x.

Bug Fixes

CVE-2024-26141 - discloses a Denial of Service vulnerability in Rack.
CVE-2024-25126 - discloses a Redos vulnerability in Rack.
CVE-2023-27539 - Avoid ReDoS in header parsing.
CVE-2023-27530 - Introduce multipart_total_part_limit to limit total parts.
CVE-2022-44571 - Fix ReDoS vulnerability in multipart parser.
CVE-2022-44570 - Fix ReDoS in Rack::Utils.get_byte_ranges.
CVE-2022-30123 - Fix shell escaping issue in Common Logger.
CVE-2022-30122 - Restrict parsing of broken MIME attachments.
CVE-2020-8184 - Only decode cookie values.
CVE-2020-8161 - Fix directory traversal in Rack::Directory.
CVE-2019-16782 - Prevent timing attacks targeted at session ID lookup. BREAKING CHANGE: Session ID is now a SessionId instance instead of a String.
CVE-2018-16471 - Whitelist HTTP and HTTPS schemes in Request#scheme to prevent a possible XSS attack.

Stay in the loop

~/herodevs-spring-framework-support

Open Source Support

When official support ends, we're just getting started.

New releases published regularly — check back often for the latest security updates

$ cat features.txt

Security Patches
Regular updates to keep your applications secure
CVE Remediation
Rapid response to critical vulnerabilities
Expert Support
Direct access to our development team