CVE-2026-34830— Rack 安全漏洞

Rack: Rack::Sendfile regex injection via HTTP_X_ACCEL_MAPPING header allows arbitrary file reads through nginx

Rack is a modular Ruby web server interface. Prior to versions 2.2.23, 3.1.21, and 3.2.6, Rack::Sendfile#map_accel_path interpolates the value of the X-Accel-Mapping request header directly into a regular expression when rewriting file paths for X-Accel-Redirect. Because the header value is not escaped, an attacker who can supply X-Accel-Mapping to the backend can inject regex metacharacters and control the generated X-Accel-Redirect response header. In deployments using Rack::Sendfile with x-accel-redirect, this can allow an attacker to cause nginx to serve unintended files from configured internal locations. This issue has been patched in versions 2.2.23, 3.1.21, and 3.2.6.

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

宽松定义的正则表达式

Rack 安全漏洞

Rack是Rack开源的一个模块化的Ruby web服务器界面。 Rack 2.2.23之前版本、3.1.21之前版本和3.2.6之前版本存在安全漏洞，该漏洞源于Rack::Sendfile#map_accel_path将X-Accel-Mapping请求标头值直接插入正则表达式而未转义，可能导致文件路径重写不当。

N/A

N/A