CVE-2026-25500: Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href

Published Feb 17, 2026
·
Updated

Summary

Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename begins with the javascript: scheme (e.g. javascript:alert(1)), the generated index includes an anchor whose href attribute is exactly javascript:alert(1). Clicking this entry executes arbitrary JavaScript in the context of the hosting application.

This results in a client-side XSS condition in directory listings generated by Rack::Directory.

Details

Rack::Directory renders directory entries using an HTML row template similar to:

html <a href='%s'>%s</a>

The %s placeholder is populated directly with the file’s basename. If the basename begins with javascript:, the resulting HTML contains an executable JavaScript URL:

html <a href='javascript:alert(1)'>javascript:alert(1)</a>

Because the value is inserted directly into the href attribute without scheme validation or normalization, browsers interpret it as a JavaScript URI. When a user clicks the link, the JavaScript executes in the origin of the Rack application.

Impact

If Rack::Directory is used to expose filesystem contents over HTTP, an attacker who can create or upload files within that directory may introduce a malicious filename beginning with javascript:.

When a user visits the directory listing and clicks the entry, arbitrary JavaScript executes in the application's origin. Exploitation requires user interaction (clicking the malicious entry).

Mitigation

Update to a patched version of Rack in which Rack::Directory prefixes generated anchors with a relative path indicator (e.g. ./filename). Avoid exposing user-controlled directories via Rack::Directory. Apply a strict Content Security Policy (CSP) to reduce impact of potential client-side execution issues. Where feasible, restrict or sanitize uploaded filenames to disallow dangerous URI scheme prefixes.

Other sources

Rack is a modular Ruby web server interface. Prior to versions 2.2.22, 3.1.20, and 3.2.5, Rack::Directory generates an HTML directory index where each file entry is rendered as a clickable link. If a file exists on disk whose basename starts with the javascript: scheme (e.g. javascript:alert(1)), the generated index contains an anchor whose href is exactly javascript:alert(1). Clicking the entry executes JavaScript in the browser (demonstrated with alert(1)). Versions 2.2.22, 3.1.20, and 3.2.5 fix the issue.

NVD

Affected Software

7 affected componentsFixes available
rubygems/rack>=3.2.0<3.2.5
3.2.5
rubygems/rack>=3.0.0.beta1<3.1.20
3.1.20
rubygems/rack<2.2.22
2.2.22
Rack Rack Ruby<2.2.22
Rack Rack Ruby>=3.0.0<3.1.20
Rack Rack Ruby>=3.2.0<3.2.5
IBM Aspera Shares<=1.9.9 - 1.11.0

Remediation

Patch Available

https://github.com/rack/rack/commit/f2f225f297b99fbee3d9f51255d41f601fc40aff

Event History

Feb 17, 2026
Advisory Published
via GitHub·06:46 PM
Data Sourced
via GitHub·06:46 PM
DescriptionSeverityWeaknessAffected Software
Feb 18, 2026
CVE Published
via MITRE·06:59 PM
Data Sourced
via MITRE·06:59 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:18 PM
RemedyDescriptionSeverityWeaknessAffected Software
Mar 27, 2026
Data Sourced
via IBM·12:00 AM
DescriptionAffected Software

Parent advisories

This vulnerability appears in the following advisories.

Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2026-25500?

CVE-2026-25500 has been classified as a high-severity vulnerability due to its potential for JavaScript injection.

2

How do I fix CVE-2026-25500?

To mitigate CVE-2026-25500, upgrade to Rack versions 3.2.5, 3.1.20, or 2.2.22 as recommended.

3

What nature of attack does CVE-2026-25500 enable?

CVE-2026-25500 allows for potential cross-site scripting (XSS) attacks via unvalidated file links.

4

Which versions of the Rack library are affected by CVE-2026-25500?

CVE-2026-25500 affects Rack versions between 3.2.0 and 3.2.5, 3.0.0.beta1 and 3.1.20, and all versions up to 2.2.22.

5

What components are primarily involved in CVE-2026-25500?

CVE-2026-25500 specifically affects the Rack::Directory component responsible for generating directory indexes.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203
CVE-2026-25500 - Rack's Stored XSS in Rack::Directory via javascript: filenames rendered into anchor href - SecAlerts