All Rack CVEs — Complete Vulnerability History
Rack is the Ruby web server interface — the foundation that Rails, Sinatra, and every Ruby web app runs on. CVEs here affect all Ruby web applications.
Ruby
8M+ weekly downloads
5 CVEs total
1 CRITICAL
🔴 CISA KEV
Full CVE history
🔴 1 CVE on CISA KEV — actively exploited in real attacks
| CVE | Year | Severity | Description | Fix |
|---|---|---|---|---|
| CVE-2018-16471 | 2018 | MEDIUM | XSS via PATH_INFO in Rack::Directory | Fixed 1.6.11 |
| CVE-2020-8161 | 2020 | HIGH | Directory traversal in Rack::Directory | Fixed 2.1.3 |
| CVE-2022-30122 | 2022 | HIGH | DoS via crafted multipart body | Fixed 2.2.3 |
| CVE-2022-30123 | 2022 | CRITICAL | Shell command injection via newline in PATH_INFO | Fixed 2.2.3 |
| CVE-2023-27530 | 2023 | 🔴HIGH | DoS via multipart body parsing — CISA KEV | Fixed 3.0.4 |
Current safe version: 3.0.11
# Before
gem 'rack', '2.2.2'
# After
gem 'rack', '3.0.11'
Then run: bundle install
Paste your manifest — see your exact versions against the full CVE history.
Scan with PackageFix →Free · No signup · No CLI · Runs in your browser
Common questions
Does updating Rails update Rack?
Rails depends on Rack but with a loose version constraint. Specify rack explicitly in your Gemfile to pin to a safe version, or update Rails to a version that requires a safe Rack.
Is CVE-2022-30123 (shell injection) easy to exploit?
It requires the ability to inject a newline into PATH_INFO — possible if your routing doesn't validate URL paths. Update to 2.2.3+ immediately.