Visit Rails NES Home Page
Rack 3.2 Release Notes
2 versions
Changelog and Release Notes for the NES version of Rack 3.2
April 2026
3.2.6
Released Apr 14, 2026Notes
- This release contains no functional change from the OSS rack v3.2.6.
Security Fixes
- CVE-2026-34835 -
Rack::Requestaccepts invalid Host characters, enabling host allowlist bypass. - CVE-2026-34831 - Content-Length mismatch in
Rack::Fileserror responses. - CVE-2026-34830 -
Rack::Sendfileheader-basedX-Accel-Mappingregex injection enables unauthorizedX-Accel-Redirect. - CVE-2026-34829 - Multipart parsing without
Content-Lengthheader allows unbounded chunked file uploads. - CVE-2026-34827 - Quadratic-time multipart header parsing allows denial of service via escape-heavy quoted parameters.
- CVE-2026-34826 - Multipart byte range processing allows denial of service via excessive overlapping ranges.
- CVE-2026-34786 -
Rack::Staticheader_rulesbypass via URL-encoded path mismatch. - CVE-2026-34785 -
Rack::Staticprefix matching can expose unintended files under the static root. - CVE-2026-34763 - Root directory disclosure via unescaped regex interpolation in
Rack::Directory. - CVE-2026-34230 - Avoid O(n^2) algorithm in
Rack::Utils.select_best_encodingwhich could lead to denial of service. - CVE-2026-32762 - Forwarded header semicolon injection enables Host and Scheme spoofing.
- CVE-2026-26962 - Improper unfolding of folded multipart headers preserves CRLF in parsed parameter.
- CVE-2026-26961 - Raise error for multipart requests with multiple boundary parameters.
March 2026
3.2.5
Released Mar 4, 2026Notes
- This is the initial release of Never-Ending Support (NES) for Rack v2.3.x.
- This release contains no functional change from the OSS rack v3.2.5.
Security Fixes
- CVE-2026-25500 - XSS injection via malicious filename in
Rack::Directory. - CVE-2026-22860 - Directory traversal via root prefix bypass in
Rack::Directory.
Stay in the loop
~/herodevs-spring-framework-support
herodevs@nes:open-source$ ./display-support-info.sh