Rack Directory Component Regular Expression Interpolation Vulnerability Leading to Directory Path Disclosure

A vulnerability in the Rack web server interface, specifically in the Rack::Directory component, allows for unintentional disclosure of the full filesystem path through improper handling of directory roots containing regular expression metacharacters. This issue is present in Rack versions prior to 2.2.23, 3.1.21, and 3.2.6. The vulnerability arises because the root path is directly interpolated into a regular expression without escaping, which can cause the prefix stripping mechanism to fail. As a result, the absolute filesystem path may be exposed in the HTML output of the directory listing, revealing sensitive internal details such as directory structures, usernames, and deployment conventions.

Impact

Exploitation of this vulnerability can lead to unauthorized disclosure of the full server filesystem path in the HTML directory listing, instead of a request-relative path. This exposure can reveal internal details about the server's directory layout, usernames, mount points, or naming conventions that are typically not visible to clients.

Remediation

Users can update to Rack versions 2.2.23, 3.1.21, or 3.2.6, where this vulnerability has been patched. Alternatively, avoid using Rack::Directory with root paths that include regular expression metacharacters.