Rack Information Disclosure Vulnerability in Rack::Static Component

A vulnerability in the Rack web server interface, specifically in the Rack::Static component, prior to versions 2.2.23, 3.1.21, and 3.2.6, allows for unintended information disclosure. The issue arises because Rack::Static uses a simple string prefix check to determine whether to serve a request as a static file. This can lead to unrelated files being served if their names share a configured prefix, such as '/css', potentially exposing sensitive information like configuration files, secrets, backups, or environment files.

Impact

Exploitation of this vulnerability could result in the unintentional disclosure of sensitive files under the static root, including configuration files, secrets, backups, environment files, or other unintended static content.

Reproduction

To reproduce this vulnerability, configure Rack::Static with a URL prefix that does not require a path segment boundary after the prefix. For example, using '/css' as a prefix will also match unrelated files like '/css-config.env' or '/css-backup.sql' if they exist under the static root.

Remediation

Users are advised to update Rack to version 2.2.23, 3.1.21, or 3.2.6, which include the necessary patch. Additionally, avoid placing sensitive files under the Rack::Static root directory and prefer static URL mappings that do not overlap with sensitive filenames.