Rack 1.4 Release Notes

Security Fixes

• CVE-2026-34835 - Rack::Request accepts invalid Host characters, enabling host allowlist bypass.
• CVE-2026-34831 - Content-Length mismatch in Rack::Files error responses.
• CVE-2026-34830 - Rack::Sendfile header-based X-Accel-Mapping regex injection enables unauthorized X-Accel-Redirect.
• CVE-2026-34829 - Multipart parsing without Content-Length header allows unbounded chunked file uploads.
• CVE-2026-34826 - Multipart byte range processing allows denial of service via excessive overlapping ranges.
• CVE-2026-34786 - Rack::Static header_rules bypass via URL-encoded path mismatch.
• CVE-2026-34785 - Rack::Static prefix matching can expose unintended files under the static root.
• CVE-2026-34763 - Root directory disclosure via unescaped regex interpolation in Rack::Directory.
• CVE-2026-34230 - Avoid O(n^2) algorithm in Rack::Utils.select_best_encoding which could lead to denial of service.
• CVE-2026-32762 - Forwarded header semicolon injection enables Host and Scheme spoofing.
• CVE-2026-26962 - Improper unfolding of folded multipart headers preserves CRLF in parsed parameter.
• CVE-2026-26961 - Raise error for multipart requests with multiple boundary parameters.

Security Fixes

• CVE-2026-25500 - XSS injection via malicious filename in Rack::Directory.
• CVE-2026-22860 - Directory traversal via root prefix bypass in Rack::Directory.

Security Fixes

• CVE-2025-61919 - Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
• CVE-2025-61780 - Improper handling of headers in Rack::Sendfile may allow proxy bypass.
• CVE-2025-61772 - Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion).
• CVE-2025-61771 - Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion).
• CVE-2025-61770 - Unbounded multipart preamble buffering enables DoS (memory exhaustion).

Security Fixes

• CVE-2025-49007 - Denial of service vulnerability in the Content-Disposition parsing component of Rack.

Security Fixes

• CVE-2025-46727 - Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.
• CVE-2025-32441 - Rack session can be restored after deletion.

Security Fixes

• CVE-2025-27610 - Local file inclusion in Rack::Static.
• CVE-2025-27111 - Possible Log Injection in Rack::Sendfile.
• CVE-2025-25184 - Possible Log Injection in Rack::CommonLogger.

Notes

• This is the initial release of Never-Ending Support (NES) for Rack v1.4.x.

Security Fixes

• CVE-2024-26141 - discloses a Denial of Service vulnerability in Rack.
• CVE-2024-25126 - discloses a Redos vulnerability in Rack.
• CVE-2023-27539 - Avoid ReDoS in header parsing.
• CVE-2023-27530 - Introduce multipart_total_part_limit to limit total parts.
• CVE-2022-44571 - Fix ReDoS vulnerability in multipart parser.
• CVE-2022-44570 - Fix ReDoS in Rack::Utils.get_byte_ranges.
• CVE-2022-30123 - Fix shell escaping issue in Common Logger.
• CVE-2022-30122 - Restrict parsing of broken MIME attachments.
• CVE-2020-8184 - Only decode cookie values.
• CVE-2020-8161 - Fix directory traversal in Rack::Directory.
• CVE-2019-16782 - Prevent timing attacks targeted at session ID lookup. BREAKING CHANGE: Session ID is now a SessionId instance instead of a String.
• CVE-2018-16471 - Whitelist HTTP and HTTPS schemes in Request#scheme to prevent a possible XSS attack.