Security researchers have uncovered a set of serious vulnerabilities in the Rack interface used by Ruby web servers—posing a fresh risk for developers and businesses alike. If left unpatched, the Rack::Static vulnerability could allow attackers to access sensitive files, tamper with logs, and inject malicious data without any authentication.
Cybersecurity firm OPSWAT shared details of three separate flaws, each with a distinct attack vector but collectively powerful when chained together:
- CVE-2025-27610 (CVSS 7.5): A critical path traversal flaw that lets attackers break out of the intended web root directory and access any file they can guess the path to.
- CVE-2025-27111 (CVSS 6.9): A CRLF injection issue that manipulates log files by improperly neutralizing carriage return and line feed characters.
- CVE-2025-25184 (CVSS 5.7): A similar vulnerability allowing malicious data to be inserted into logs via improperly filtered output.
The most alarming of the three, CVE-2025-27610, can be exploited to access configuration files, private credentials, and other confidential data—paving the way for serious data breaches.
At the core of the issue is how Rack::Static handles file paths. Normally used to serve static content like images or JavaScript files, Rack::Static does not sanitize user-provided file paths. When developers don’t explicitly define a :root parameter, Rack defaults to the current working directory (via Dir.pwd)—making it the effective web root. If this default or the :root is misconfigured, it becomes possible for an attacker to climb directories and access files they shouldn’t be able to see.
With the right crafted path, an attacker could bypass security boundaries and read files far outside the scope of the intended static assets.
According to OPSWAT, this configuration slip is worryingly common and easy to overlook, especially in development or staging environments. Without proper safeguards, even a minor misstep can open the door to unauthenticated access.
For those unable to patch immediately, OPSWAT advises removing Rack::Static entirely or restricting its root to a carefully controlled directory containing only public assets.
This disclosure follows the discovery of a separate high-risk issue in Infodraw’s Media Relay Service (MRS). Security researcher Tim Philipp Schäfers uncovered a path traversal flaw (CVE-2025-43928, CVSS 9.8) that allows attackers to read or delete arbitrary files from both Windows and Linux systems.
Infodraw’s mobile surveillance hardware is widely used across sectors such as law enforcement, public transportation, and fleet management. The bug can be triggered by crafting a login request with a username like "../../../../", giving attackers immediate access to sensitive data—or worse, the ability to delete critical files.
Despite the severity of this vulnerability, Infodraw has yet to issue a patch. In response, systems in Belgium and Luxembourg were taken offline as a precaution.
Until a fix is available, experts recommend disconnecting vulnerable systems entirely or, at minimum, isolating them behind VPNs and IP whitelisting.
