Rack 2.2 Release Notes

9 versions

Changelog and Release Notes for the NES version of Rack 2.2

Mar 4, 2026

Latest: 2.2.22.10

69 Patched Vulnerabilities

VEX Statements

March 2026

2.2.22.10

Released last Wednesday

CVE-2026-25500

CVE-2026-22860

Bug Fixes

CVE-2026-25500 - XSS injection via malicious filename in Rack::Directory.
CVE-2026-22860 - Directory traversal via root prefix bypass in Rack::Directory.

October 2025

2.2.20.11

Released on Oct 30, 2025

Notes

Removed an unnecessary warning caused by the last change ("unknown or unsafe x-sendfile variation"). This change has no security implications.

2.2.20.10

Released on Oct 13, 2025

CVE-2025-61919

CVE-2025-61780

Bug Fixes

CVE-2025-61919 - Unbounded read in Rack::Request form parsing can lead to memory exhaustion.
CVE-2025-61780 - Improper handling of headers in Rack::Sendfile may allow proxy bypass.

2.2.19.10

Released on Oct 13, 2025

CVE-2025-61772

CVE-2025-61771

CVE-2025-61770

Bug Fixes

CVE-2025-61772 - Multipart parser buffers unbounded per-part headers, enabling DoS (memory exhaustion).
CVE-2025-61771 - Multipart parser buffers large non‑file fields entirely in memory, enabling DoS (memory exhaustion).
CVE-2025-61770 - Unbounded multipart preamble buffering enables DoS (memory exhaustion).

2.2.18.10

Released on Oct 2, 2025

CVE-2025-59830

Bug Fixes

CVE-2025-59830 - Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion via semicolon-separated parameters.

June 2025

2.2.17.10

Released on Jun 17, 2025

CVE-2025-49007

Bug Fixes

CVE-2025-49007 - Denial of service vulnerability in the Content-Disposition parsing component of Rack.

May 2025

2.2.14.10

Released on May 14, 2025

CVE-2025-46727

CVE-2025-32441

Bug Fixes

CVE-2025-46727 - Unbounded parameter parsing in Rack::QueryParser can lead to memory exhaustion.
CVE-2025-32441 - Rack session can be restored after deletion.