Rack URL-Encoding Vulnerability Allows Header Bypass in Rack::Static

A vulnerability exists in Rack, a Ruby web server interface, in versions prior to 2.2.23, 3.0, 3.1.21, and 3.2.6. The issue arises in the Rack::Static component, where the header_rules evaluation process creates a mismatch between URL-encoded and decoded paths. This can lead to security headers being bypassed for static files. In deployments relying on Rack::Static to apply important response headers, an attacker could exploit this vulnerability by requesting an encoded version of a static file path, thereby evading the intended header protections.

Impact

Bypassing security-relevant response headers for static content served through Rack::Static. This could undermine protections such as clickjacking defenses or content restrictions, depending on the specific header_rules configured and the types of files being served.

Remediation

Users are advised to update to Rack versions 2.2.23, 3.1.21, or 3.2.6. For applications that depend on Rack::Static header_rules for security headers, consider applying these headers at the reverse proxy or web server level, where they can consistently address both encoded and unencoded paths. Additionally, normalize or reject encoded path variants for static content at the edge, when possible.