Rack Regular Expression Injection Vulnerability in X-Accel-Redirect Handling

A vulnerability exists in Rack's handling of the X-Accel-Mapping request header within the Rack::Sendfile module, prior to versions 2.2.23, 3.1.21, and 3.2.6. The issue arises because the X-Accel-Mapping header value is interpolated directly into a regular expression without proper escaping. This flaw allows an attacker to inject regex metacharacters, manipulating the resulting X-Accel-Redirect response header. In deployments using Rack::Sendfile with X-Accel-Redirect, this could enable an attacker to cause Nginx to serve unintended files from internal locations.

Impact

Exploitation allows for unauthorized file access through Nginx, serving files from internal locations that should not be publicly accessible, potentially leading to sensitive data exposure.

Reproduction

The vulnerability can be reproduced by sending a request with an unescaped X-Accel-Mapping header that includes regex metacharacters. If the header reaches a Rack application using sendfile with X-Accel-Redirect, Nginx will be tricked into serving files from internal locations based on the manipulated header value.

Remediation

Users are advised to update Rack to version 2.2.23, 3.1.21, or 3.2.6. Additionally, X-Accel-Mapping headers can be stripped or overwritten at the reverse proxy to prevent client-supplied values from reaching Rack.