Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.4
Rack::Directory Allows Malicious Files to Run Code
CVE-2026-25500
GHSA-whrj-4476-wvmp
GHSA-whrj-4476-wvmp
Summary
Rack::Directory can display files with malicious names that, when clicked, run code in the hosting application. This can happen if an attacker uploads a file with a name starting with 'javascript:'. Users should ensure they only allow trusted files to be uploaded and view directory listings carefully.
What to do
- Update leah neukirchen rack to version 2.2.22.
- Update leah neukirchen rack to version 3.1.20.
- Update leah neukirchen rack to version 3.2.5.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| leah neukirchen | rack | <= 2.2.22 | 2.2.22 |
| leah neukirchen | rack | > 3.0.0.beta1 , <= 3.1.20 | 3.1.20 |
| leah neukirchen | rack | > 3.2.0 , <= 3.2.5 | 3.2.5 |
| rack | rack | <= 2.2.22 | – |
| rack | rack | > 3.0.0 , <= 3.1.20 | – |
| rack | rack | > 3.2.0 , <= 3.2.5 | – |
Original title
Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href
Original description
## Summary
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.
This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.
## Details
`Rack::Directory` renders directory entries using an HTML row template similar to:
```html
<a href='%s'>%s</a>
```
The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:
```html
<a href='javascript:alert(1)'>javascript:alert(1)</a>
```
Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.
## Impact
If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.
When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).
## Mitigation
* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).
* Avoid exposing user-controlled directories via `Rack::Directory`.
* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.
HackerOne profile:
https://hackerone.com/thesmartshadow
GitHub account owner:
Ali Firas (@thesmartshadow)
`Rack::Directory` generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the `javascript:` scheme (e.g. `javascript:alert(1)`), the generated index includes an anchor whose `href` attribute is exactly `javascript:alert(1)`. Clicking this entry executes arbitrary JavaScript in the context of the hosting application.
This results in a client-side XSS condition in directory listings generated by `Rack::Directory`.
## Details
`Rack::Directory` renders directory entries using an HTML row template similar to:
```html
<a href='%s'>%s</a>
```
The `%s` placeholder is populated directly with the file’s basename. If the basename begins with `javascript:`, the resulting HTML contains an executable JavaScript URL:
```html
<a href='javascript:alert(1)'>javascript:alert(1)</a>
```
Because the value is inserted directly into the `href` attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.
## Impact
If `Rack::Directory` is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with `javascript:`.
When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).
## Mitigation
* Update to a patched version of Rack in which `Rack::Directory` prefixes generated anchors with a relative path indicator (e.g. `./filename`).
* Avoid exposing user-controlled directories via `Rack::Directory`.
* Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues.
* Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.
HackerOne profile:
https://hackerone.com/thesmartshadow
GitHub account owner:
Ali Firas (@thesmartshadow)
nvd CVSS3.1
5.4
Vulnerability type
CWE-79
Cross-site Scripting (XSS)
- https://nvd.nist.gov/vuln/detail/CVE-2026-25500
- https://github.com/rubysec/ruby-advisory-db/blob/master/gems/rack/CVE-2026-25500...
- https://github.com/advisories/GHSA-whrj-4476-wvmp
- https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff Patch
- https://github.com/rack/rack/security/advisories/GHSA-whrj-4476-wvmp Exploit Mitigation Vendor Advisory
- https://github.com/rack/rack Product
Published: 17 Feb 2026 · Updated: 14 Mar 2026 · First seen: 6 Mar 2026