Ruby Servers at Risk From Rack::Static Flaws, Experts Warn

Cybersecurity researchers have just revealed three security holes in Rack, the Ruby web server interface. If exploited, these flaws could give attackers unauthorized access to files, let them inject nasty data, and even mess with your logs. Yikes!

OPSWAT, a cybersecurity vendor, flagged these vulnerabilities. Here's a quick rundown:

• CVE-2025-27610 (CVSS score: 7.5) - This is a path traversal issue. Basically, if an attacker knows the path to a file, they could potentially access any file under the specified root directory.
• CVE-2025-27111 (CVSS score: 6.9) - This one's about improper handling of carriage return line feeds (CRLF). It could allow attackers to manipulate log entries and, well, distort your log files.
• CVE-2025-25184 (CVSS score: 5.7) - Another CRLF issue, this time potentially allowing attackers to inject malicious data into your logs.

So, what's the worst that could happen? Successful exploitation could let attackers cover their tracks, steal files, and inject malicious code.

According to OPSWAT, "Among these vulnerabilities, CVE-2025-27610 is particularly severe, as it could enable unauthenticated attackers to retrieve sensitive information, including configuration files, credentials, and confidential data, thereby leading to data breaches." That's pretty serious!

The root cause? Rack::Static, a middleware used to serve static content, isn't properly sanitizing user-supplied paths. This means a crafty attacker could use a specially crafted path to access files outside the intended static file directory.

OPSWAT explains, "Specifically, when the :root parameter is not explicitly defined, Rack defaults this value to the current working directory by assigning it the value of Dir.pwd, implicitly designating it as the web root directory for the Rack application."

In other words, if the :root option isn't set up correctly, an attacker could exploit CVE-2025-27610 to access sensitive files outside the web directory.

What should you do? Update to the latest version ASAP! If you can't patch immediately, consider removing Rack::Static or ensuring that the root: parameter points to a directory containing only publicly accessible files.

Another Critical Flaw: Infodraw Media Relay Service

And that's not all! A critical vulnerability has been discovered in the Infodraw Media Relay Service (MRS). This flaw (CVE-2025-43928, CVSS score: 9.8) allows attackers to read or delete any file on the system via a path traversal vulnerability in the username parameter of the login page.

Infodraw makes mobile video surveillance solutions used by law enforcement, fleet management, and more. Their website boasts users around the globe.

"A trivial Path Traversal vulnerability allows it to read out any file from systems for unauthenticated attackers," says security researcher Tim Philipp Schäfers. "Furthermore an 'Arbitrary File Deletion Vulnerability' exists that allows attackers to delete any file from the system."

This flaw, triggered by a username like "../../../../," affects both Windows and Linux versions. Unfortunately, a patch isn't yet available. Some vulnerable systems in Belgium and Luxembourg have been taken offline.

Philipp Schäfers advises, "Affected organizations are primarily advised to take the application offline immediately (since, despite early warnings, no manufacturer patch is available, and it is considered possible that the vulnerability will be exploited by malicious actors in the near future)."

If taking the system offline isn't possible, he recommends adding extra protection, such as using a VPN or restricting IP access.