[DRE-maint] Bug#1117855: ruby-rack: CVE-2025-61780

Salvatore Bonaccorso carnil at debian.org
Sat Oct 11 20:07:12 BST 2025 

Source: ruby-rack
Version: 3.1.16-0.1
Severity: grave
Tags: security upstream
Justification: user security hole
X-Debbugs-Cc: carnil at debian.org, Debian Security Team <team at security.debian.org>
Control: found -1 2.2.13-1~deb12u1

Hi,

The following vulnerability was published for ruby-rack.

CVE-2025-61780[0]:
| Rack is a modular Ruby web server interface. Prior to versions
| 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure
| vulnerability existed in `Rack::Sendfile` when running behind a
| proxy that supports `x-sendfile` headers (such as Nginx). Specially
| crafted headers could cause `Rack::Sendfile` to miscommunicate with
| the proxy and trigger unintended internal requests, potentially
| bypassing proxy-level access restrictions. When `Rack::Sendfile`
| received untrusted `x-sendfile-type` or `x-accel-mapping` headers
| from a client, it would interpret them as proxy configuration
| directives. This could cause the middleware to send a "redirect"
| response to the proxy, prompting it to reissue a new internal
| request that was not subject to the proxy's access controls. An
| attacker could exploit this by setting a crafted `x-sendfile-type:
| x-accel-redirect` header, setting a crafted `x-accel-mapping`
| header, and requesting a path that qualifies for proxy-based
| acceleration. Attackers could bypass proxy-enforced restrictions and
| access internal endpoints intended to be protected (such as
| administrative pages). The vulnerability did not allow arbitrary
| file reads but could expose sensitive application routes. This issue
| only affected systems meeting all of the following conditions: The
| application used `Rack::Sendfile` with a proxy that supports
| `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set
| or remove the `x-sendfile-type` and `x-accel-mapping` headers; and
| the application exposed an endpoint that returned a body responding
| to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18,
| or 3.2.3, which require explicit configuration to enable `x-accel-
| redirect`. Alternatively, configure the proxy to always set or strip
| the header, or in Rails applications, disable sendfile completely.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-61780
    https://www.cve.org/CVERecord?id=CVE-2025-61780
[1] https://github.com/rack/rack/security/advisories/GHSA-r657-rxjc-j557
[2] https://github.com/rack/rack/commit/57277b7741581fa827472c5c666f6e6a33abd784
[3] https://github.com/rack/rack/commit/7e69f65eefe9cd2868df9f9f3b0977b86f93523a
[4] https://github.com/rack/rack/commit/fba2c8bc63eb787ff4b19bc612d315fda6126d85

Regards,
Salvatore

More information about the Pkg-ruby-extras-maintainers mailing list