Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level access restrictions. When `Rack::Sendfile` received untrusted `x-sendfile-type` or `x-accel-mapping` headers from a client, it would interpret them as proxy configuration directives. This could cause the middleware to send a "redirect" response to the proxy, prompting it to reissue a new internal request that was not subject to the proxy's access controls. An attacker could exploit this by setting a crafted `x-sendfile-type: x-accel-redirect` header, setting a crafted `x-accel-mapping` header, and requesting a path that qualifies for proxy-based acceleration. Attackers could bypass proxy-enforced restrictions and access internal endpoints intended to be protected (such as administrative pages). The vulnerability did not allow arbitrary file reads but could expose sensitive application routes. This issue only affected systems meeting all of the following conditions: The application used `Rack::Sendfile` with a proxy that supports `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set or remove the `x-sendfile-type` and `x-accel-mapping` headers; and the application exposed an endpoint that returned a body responding to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, which require explicit configuration to enable `x-accel-redirect`. Alternatively, configure the proxy to always set or strip the header, or in Rails applications, disable sendfile completely.

The remote Fedora 41 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-a35addbf9b advisory.

    Update to Rack 2.2.21



Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 43 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-b6e0f437b6 advisory.

    Update to Rack 3.1.19

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2025-eae2126736 advisory.

    Update to Rack 2.2.21

Tenable has extracted the preceding description block directly from the Fedora security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 12 / 13 host has a package installed that is affected by multiple vulnerabilities as referenced in the dsa-6048 advisory.

    - -------------------------------------------------------------------------     Debian Security Advisory DSA-6048-1                   security@debian.org     https://www.debian.org/security/                       Moritz Muehlenhoff     November 03, 2025                     https://www.debian.org/security/faq
    - -------------------------------------------------------------------------

    Package        : ruby-rack     CVE ID         : CVE-2025-61770 CVE-2025-61771 CVE-2025-61772                      CVE-2025-61780 CVE-2025-61919

    Multiple security issues were found in Rack, an interface for developing     web applications in Ruby, which could result in denial of service or     proxy bypass.

    For the oldstable distribution (bookworm), these problems have been fixed     in version 2.2.20-0+deb12u1.

    For the stable distribution (trixie), these problems have been fixed in     version 3.1.18-1~deb13u1.

    We recommend that you upgrade your ruby-rack packages.

    For the detailed security status of ruby-rack please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ruby-rack

    Further information about Debian Security Advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://www.debian.org/security/

    Mailing list: debian-security-announce@lists.debian.org

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The remote Debian 11 host has a package installed that is affected by multiple vulnerabilities as referenced in the dla-4357 advisory.

    - -----------------------------------------------------------------------     Debian LTS Advisory DLA-4357-1              debian-lts@lists.debian.org     https://www.debian.org/lts/security/                      Utkarsh Gupta     November 01, 2025                           https://wiki.debian.org/LTS
    - -----------------------------------------------------------------------

    Package        : ruby-rack     Version        : 2.1.4-3+deb11u4     CVE ID         : CVE-2025-32441 CVE-2025-46727 CVE-2025-59830                      CVE-2025-61770 CVE-2025-61771 CVE-2025-61772                      CVE-2025-61780 CVE-2025-61919     Debian Bug     : 1104927 1116431 1117855 1117856 1117627 1117628

    Multiple vulnerabilities were found in ruby-rack, a modular Ruby     webserver interface, as follows:

      - CVE-2025-32441: Rack session can be restored after deletion.
      - CVE-2025-46727: Unbounded parameter parsing in Rack::QueryParser         can lead to memory exhaustion.
      - CVE-2025-59830: Unbounded parameter parsing in Rack::QueryParser         can lead to memory exhaustion via semicolon-separated parameters.
      - CVE-2025-61770: Unbounded multipart preamble buffering enables         DoS (memory exhaustion).
      - CVE-2025-61771: Multipart parser buffers large nonfile fields         entirely in memory, enabling DoS (memory exhaustion).
      - CVE-2025-61772: Multipart parser buffers unbounded per-part         headers, enabling DoS (memory exhaustion).
      - CVE-2025-61919: Unbounded read in Rack::Request form parsing can         lead to memory exhaustion.
      - CVE-2025-61780: Improper handling of headers in Rack::Sendfile         may allow proxy bypass.

    For Debian 11 bullseye, these problems have been fixed in version     2.1.4-3+deb11u4.

    We recommend that you upgrade your ruby-rack packages.

    For the detailed security status of ruby-rack please refer to     its security tracker page at:
    https://security-tracker.debian.org/tracker/ruby-rack

    Further information about Debian LTS security advisories, how to apply     these updates to your system and frequently asked questions can be     found at: https://wiki.debian.org/LTS

Tenable has extracted the preceding description block directly from the Debian security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available.

  - Rack is a modular Ruby web server interface. Prior to versions 2.2.20, 3.1.18, and 3.2.3, a possible     information disclosure vulnerability existed in `Rack::Sendfile` when running behind a proxy that supports     `x-sendfile` headers (such as Nginx). Specially crafted headers could cause `Rack::Sendfile` to     miscommunicate with the proxy and trigger unintended internal requests, potentially bypassing proxy-level     access restrictions. When `Rack::Sendfile` received untrusted `x-sendfile-type` or `x-accel-mapping`     headers from a client, it would interpret them as proxy configuration directives. This could cause the     middleware to send a redirect response to the proxy, prompting it to reissue a new internal request that     was not subject to the proxy's access controls. An attacker could exploit this by setting a crafted     `x-sendfile-type: x-accel-redirect` header, setting a crafted `x-accel-mapping` header, and requesting a     path that qualifies for proxy-based acceleration. Attackers could bypass proxy-enforced restrictions and     access internal endpoints intended to be protected (such as administrative pages). The vulnerability did     not allow arbitrary file reads but could expose sensitive application routes. This issue only affected     systems meeting all of the following conditions: The application used `Rack::Sendfile` with a proxy that     supports `x-accel-redirect` (e.g., Nginx); the proxy did **not** always set or remove the `x-sendfile-     type` and `x-accel-mapping` headers; and the application exposed an endpoint that returned a body     responding to `.to_path`. Users should upgrade to Rack versions 2.2.20, 3.1.18, or 3.2.3, which require     explicit configuration to enable `x-accel-redirect`. Alternatively, configure the proxy to always set or     strip the header, or in Rails applications, disable sendfile completely. (CVE-2025-61780)

Note that Nessus relies on the presence of the package as reported by the vendor.

ID	Name	Product	Family	Severity
275257	Fedora 41 : rubygem-rack (2025-a35addbf9b)	Nessus	Fedora Local Security Checks	high
275256	Fedora 43 : rubygem-rack (2025-b6e0f437b6)	Nessus	Fedora Local Security Checks	medium
275253	Fedora 42 : rubygem-rack (2025-eae2126736)	Nessus	Fedora Local Security Checks	high
272224	Debian dsa-6048 : ruby-rack - security update	Nessus	Debian Local Security Checks	medium
272174	Debian dla-4357 : ruby-rack - security update	Nessus	Debian Local Security Checks	medium
270279	Linux Distros Unpatched Vulnerability : CVE-2025-61780	Nessus	Misc.	medium

Detections

Analytics

CVE-2025-61780

medium

Tenable Plugins

high

medium

high

medium

medium

medium