Security researchers have revealed three critical vulnerabilities impacting Rack, the Ruby web server interface layer, which could allow attackers to access sensitive files, inject malicious data, and manipulate server logs under specific conditions.
The identified vulnerabilities are:
-
CVE-2025-27610 (CVSS 7.5): A path traversal flaw that could allow attackers to access all files under a given root directory if they can determine the correct file paths.
-
CVE-2025-27111 (CVSS 6.9): Improper neutralization of CRLF (Carriage Return Line Feed) sequences, enabling attackers to tamper with log entries and distort server logs.
-
CVE-2025-25184 (CVSS 5.7): Similar CRLF injection vulnerabilities that could lead to the injection of malicious content into logs.
Successful exploitation of these vulnerabilities could enable threat actors to erase traces of their activities, access arbitrary files, and inject harmful code into applications.
The most critical among them, CVE-2025-27610, could let unauthenticated attackers retrieve highly sensitive data such as configuration files, credentials, and private documents. The issue arises because Rack::Static, a middleware used to serve static assets like images and scripts, does not properly sanitize input paths. If the :root parameter is not explicitly set, it defaults to the current working directory (Dir.pwd), unintentionally broadening the accessible file scope.
When the :root option is missing or incorrectly configured relative to :urls, attackers can exploit this vulnerability through crafted paths to access restricted files outside the intended public directory.
Mitigation Advice:
To protect against these vulnerabilities, it is strongly recommended to update to the latest version of Rack. If updating immediately is not possible, users should either avoid using Rack::Static or ensure that the root setting points to a directory strictly containing publicly accessible content.
Separate Discovery: Severe Flaws Found in Infodraw Media Relay Service
Additionally, researchers have identified a critical path traversal vulnerability (CVE-2025-43928, CVSS 9.8) in Infodraw’s Media Relay Service (MRS), which could allow unauthenticated attackers to read or delete arbitrary files on affected systems simply by manipulating the username field on the login page.
Infodraw provides mobile video surveillance solutions used by law enforcement, transportation, and fleet management sectors. The vulnerability impacts both Windows and Linux deployments of MRS and currently remains unpatched.
In response to responsible disclosure efforts, some exposed systems in Belgium and Luxembourg have been taken offline. Organizations using the affected systems are urged to immediately disconnect vulnerable services or apply additional network protections, such as VPNs or IP whitelisting, until an official fix becomes available.
