CVE-2026-22860 (rack): Rack has a Directory Traversal via Rack:Directory
    
    
      
        














February...

The RubyLA blog offers insights, tutorials, and community updates for Ruby developers in Los Angeles and beyond. Developers can explore Ruby language features, web development frameworks, and best practices for building Ruby applications. Additionally, the blog covers Ruby meetups, events, and job opportunities in the Los Angeles area, fostering collaboration and networking within the local Ruby community.

RUBYLAND

CVE-2026-22860 is a high-severity (CVSS 7.5) directory traversal vulnerability in Rack's `Rack::Directory` middleware. The flaw stems from a string prefix match in `directory.rb` that uses `start_with?` to validate paths, which fails to enforce proper path boundaries. An attacker can craft a request like `/../root_example/` to escape the configured root and list directories that share the same prefix (e.g., `/var/www/root_backup` when root is `/var/www/root`). This leads to information disclosure via unauthorized directory listing. Patched versions are ~> 2.2.22, ~> 3.1.20, and >= 3.2.5. As a workaround, avoid naming directories with the same prefix as the exposed root.