Rack 1.6 Release Notes

Bug Fixes

• CVE-2026-25500 - XSS injection via malicious filename in Rack::Directory.
• CVE-2026-22860 - Directory traversal via root prefix bypass in Rack::Directory.

Bug Fixes

• CVE-2025-61919 - Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
• CVE-2025-61780 - Improper handling of headers in Rack::Sendfile may allow proxy bypass.

Bug Fixes

• CVE-2025-61772 - Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion).
• CVE-2025-61771 - Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion).
• CVE-2025-61770 - Unbounded multipart preamble buffering enables DoS (memory exhaustion).

Bug Fixes

• CVE-2025-49007 - Denial of service vulnerability in the Content-Disposition parsing component of Rack.

Bug Fixes

• CVE-2025-46727 - Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.
• CVE-2025-32441 - Rack session can be restored after deletion.
• CVE-2025-27610 - Local file inclusion in Rack::Static.

Bug Fixes

• CVE-2025-27111 - Possible Log Injection in Rack::Sendfile.
• CVE-2025-25184 - Possible Log Injection in Rack::CommonLogger.

Notes

• This is the initial release of Never-Ending Support (NES) for Rack v1.6.x.

Bug Fixes

• CVE-2024-26141 - discloses a Denial of Service vulnerability in Rack.
• CVE-2024-25126 - disclosed a Redos vulnerability in Rack.
• CVE-2023-27539 - Avoid ReDoS in header parsing.
• CVE-2023-27530 - Introduce multipart_total_part_limit to limit total parts.
• CVE-2022-44571 - Fix ReDoS vulnerability in multipart parser.
• CVE-2022-44570 - Fix ReDoS in Rack::Utils.get_byte_ranges.
• CVE-2022-30123 - Fix shell escaping issue in Common Logger.
• CVE-2022-30122 - Restrict parsing of broken MIME attachments.
• CVE-2020-8184 - Only decode cookie values.
• CVE-2020-8161 - Fix directory traversal in Rack::Directory.